Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4

with profile NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS
This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat Enterprise Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies. Development partners and sponsors include the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. This baseline implements configuration requirements from the following sources: - NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53) For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. Security Requirement Traceability Guides (RTMs) and sample System Security Configuration Guides are provided via the scap-security-guide-docs package. This profile reflects U.S. Government consensus content and is developed through the ComplianceAsCode initiative, championed by the National Security Agency. Except for differences in formatting to accommodate publishing processes, this profile mirrors ComplianceAsCode content as minor divergences, such as bugfixes, work through the consensus and release processes.
This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetip-10-0-2-210.us-west-1.compute.internal
Target IDip-10-0-2-210.us-west-1.compute.internal
Benchmark URL#scap_org.open-scap_comp_ssg-rhcos4-xccdf.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_RHCOS-4
Benchmark version0.1.77
Profile IDxccdf_org.ssgproject.content_profile_moderate
Started at2025-10-23T19:33:56+00:00
Finished at2025-10-23T19:36:55+00:00
Performed by unknown user
Test systemcpe:/a:redhat:openscap:1.3.12

CPE Platforms

  • cpe:/o:redhat:enterprise_linux_coreos:4

Addresses

    Compliance and Scoring

    The target system did not satisfy the conditions of 194 rules! Please review rule results and consider applying remediation.

    Rule results

    38 passed
    194 failed
    4 other

    Severity of failed rules

    4 other
    14 low
    170 medium
    6 high

    Score

    Scoring systemScoreMaximumPercent
    urn:xccdf:scoring:default39.602665100.000000
    39.6%

    Rule Overview

    Group rules by:
    TitleSeverityResult
    Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4 194x fail 4x notchecked
    System Settings 63x fail 4x notchecked
    Installing and Maintaining Software 2x fail 2x notchecked
    System and Software Integrity 2x fail
    Federal Information Processing Standard (FIPS) 1x fail
    Enable FIPS Modehigh
    fail
    System Cryptographic Policies 1x fail
    Configure System Cryptography Policyhigh
    fail
    Configure Kerberos to use System Crypto Policyhigh
    pass
    Configure OpenSSL library to use System Crypto Policymedium
    pass
    Configure SSH to use System Crypto Policymedium
    pass
    Disk Partitioning 2x notchecked
    Ensure /var/log Located On Separate Partitionlow
    notchecked
    Ensure /var/log/audit Located On Separate Partitionlow
    notchecked
    Sudo
    Install sudo Packagemedium
    pass
    Account and Access Control 7x fail
    Warning Banners for System Accesses 1x fail
    Modify the System Login Bannermedium
    fail
    Protect Physical Console Access 4x fail
    Configure Screen Locking 1x fail
    Configure Console Screen Locking 1x fail
    Prevent user from disabling the screen locklow
    fail
    Disable debug-shell SystemD Servicemedium
    fail
    Verify that Interactive Boot is Disabledmedium
    pass
    Disable Ctrl-Alt-Del Burst Actionhigh
    fail
    Disable Ctrl-Alt-Del Reboot Activationhigh
    fail
    Require Authentication for Single User Modemedium
    pass
    Protect Accounts by Restricting Password-Based Login 2x fail
    Verify Proper Storage and Existence of Password Hashes 1x fail
    Prevent Login to Accounts With Empty Passwordhigh
    fail
    Verify No netrc Files Existmedium
    pass
    Restrict Root Logins 1x fail
    Verify Only Root Has UID 0high
    pass
    Direct root Logins Not Allowedmedium
    fail
    Ensure that System Accounts Do Not Run a Shell Upon Loginmedium
    pass
    GRUB2 bootloader configuration 2x fail
    Enable Kernel Page-Table Isolation (KPTI)high
    fail
    Disable vsyscallsmedium
    fail
    Configure Syslog 1x fail
    Ensure All Logs are Rotated by logrotate 1x fail
    Ensure Logrotate Runs Periodicallymedium
    fail
    Network Configuration and Firewalls 30x fail 1x notchecked
    iptables and ip6tables
    Install iptables-nft Packagemedium
    notapplicable
    Install iptables Packagemedium
    notapplicable
    IPv6 6x fail
    Configure IPv6 Settings if Necessary 6x fail
    Configure Accepting Router Advertisements on All IPv6 Interfacesmedium
    fail
    Disable Accepting ICMP Redirects for All IPv6 Interfacesmedium
    fail
    Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesmedium
    fail
    Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultmedium
    fail
    Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesmedium
    fail
    Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultmedium
    fail
    Kernel Parameters Which Affect Networking 14x fail
    Network Related Kernel Runtime Parameters for Hosts and Routers 12x fail
    Disable Accepting ICMP Redirects for All IPv4 Interfacesmedium
    fail
    Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesmedium
    fail
    Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesunknown
    fail
    Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesmedium
    fail
    Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesmedium
    fail
    Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesmedium
    fail
    Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultmedium
    pass
    Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultunknown
    fail
    Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultmedium
    fail
    Configure Kernel Parameter for Accepting Secure Redirects By Defaultmedium
    fail
    Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesmedium
    fail
    Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesunknown
    fail
    Enable Kernel Parameter to Use TCP Syncookies on Network Interfacesmedium
    fail
    Network Parameters for Hosts Only 2x fail
    Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesmedium
    fail
    Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultmedium
    fail
    Uncommon Network Protocols 5x fail
    Disable ATM Supportmedium
    fail
    Disable CAN Supportmedium
    fail
    Disable IEEE 1394 (FireWire) Supportlow
    fail
    Disable SCTP Supportmedium
    fail
    Disable TIPC Supportlow
    fail
    Wireless Networking 5x fail 1x notchecked
    Disable Wireless Through Software Configuration 5x fail 1x notchecked
    Disable Bluetooth Servicemedium
    pass
    Disable Bluetooth Kernel Modulemedium
    fail
    Disable Kernel cfg80211 Modulemedium
    fail
    Disable Kernel iwlmvm Modulemedium
    fail
    Disable Kernel iwlwifi Modulemedium
    fail
    Disable Kernel mac80211 Modulemedium
    fail
    Disable WiFi or Bluetooth in BIOSunknown
    notchecked
    Deactivate Wireless Network Interfacesmedium
    notapplicable
    File Permissions and Masks 21x fail 1x notchecked
    Verify Permissions on Important Files and Directories
    Restrict Dynamic Mounting and Unmounting of Filesystems 9x fail 1x notchecked
    Disable the Automountermedium
    notapplicable
    Disable Booting from USB Devices in Boot Firmwareunknown
    notchecked
    Disable Kernel Support for USB via Bootloader Configurationmedium
    fail
    Disable Mounting of cramfslow
    fail
    Disable Mounting of freevxfslow
    fail
    Disable Mounting of hfslow
    fail
    Disable Mounting of hfspluslow
    fail
    Disable Mounting of jffs2low
    fail
    Disable Mounting of squashfslow
    fail
    Disable Mounting of udflow
    fail
    Disable Modprobe Loading of USB Storage Drivermedium
    fail
    Restrict Programs from Dangerous Execution Patterns 12x fail
    Disable Core Dumps 4x fail
    Disable acquiring, saving, and processing core dumpsmedium
    fail
    Disable core dump backtracesmedium
    fail
    Disable storing core dumpmedium
    fail
    Disable Core Dumps for All Usersmedium
    fail
    Enable ExecShield
    Restrict Exposed Kernel Pointer Addresses Accessmedium
    pass
    Memory Poisoning 1x fail
    Enable page allocator poisoningmedium
    fail
    Disable storing core dumpsmedium
    fail
    Restrict Access to Kernel Message Bufferlow
    fail
    Disable Kernel Image Loadingmedium
    fail
    Disallow kernel profiling by unprivileged userslow
    fail
    Disable Access to Network bpf() Syscall From Unprivileged Processesmedium
    fail
    Restrict usage of ptrace to descendant processesmedium
    fail
    Harden the operation of the BPF just-in-time compilermedium
    fail
    SELinux
    Ensure SELinux Not Disabled in the kernel argumentsmedium
    pass
    Configure SELinux Policymedium
    pass
    Ensure SELinux State is Enforcinghigh
    pass
    Services 11x fail
    Network Time Protocol 4x fail
    Enable the NTP Daemonmedium
    pass
    Disable chrony daemon from acting as serverlow
    fail
    Disable network management of chrony daemonlow
    fail
    Configure Time Service Maxpoll Intervalmedium
    fail
    Specify Additional Remote NTP Serversmedium
    fail
    Specify a Remote NTP Servermedium
    pass
    SSH Server 4x fail
    Configure OpenSSH Server if Necessary 4x fail
    Set SSH Client Alive Count Maxmedium
    fail
    Set SSH Client Alive Intervalmedium
    fail
    Disable SSH Support for .rhosts Filesmedium
    fail
    Limit Users' SSH Accessunknown
    fail
    Verify Group Who Owns SSH Server config filemedium
    pass
    Verify Owner on SSH Server config filemedium
    pass
    Verify Permissions on SSH Server config filemedium
    pass
    Verify Permissions on SSH Server Private *_key Key Filesmedium
    pass
    Verify Permissions on SSH Server Public *.pub Key Filesmedium
    pass
    USBGuard daemon 3x fail
    Install usbguard Packagemedium
    fail
    Enable the USBGuard Servicemedium
    fail
    Log USBGuard daemon audit events using Linux Auditlow
    notapplicable
    Authorize Human Interface Devices and USB hubs in USBGuard daemonmedium
    fail
    System Accounting with auditd 120x fail
    Configure auditd Rules for Comprehensive Auditing 113x fail
    Record Events that Modify the System's Discretionary Access Controls 13x fail
    Record Events that Modify the System's Discretionary Access Controls - chmodmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - chownmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fchmodmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fchmodatmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fchownmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fchownatmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fremovexattrmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - fsetxattrmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - lchownmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - lremovexattrmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - lsetxattrmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - removexattrmedium
    fail
    Record Events that Modify the System's Discretionary Access Controls - setxattrmedium
    fail
    Record Execution Attempts to Run SELinux Privileged Commands 6x fail
    Record Any Attempts to Run chconmedium
    fail
    Record Any Attempts to Run restoreconmedium
    fail
    Record Any Attempts to Run semanagemedium
    fail
    Record Any Attempts to Run setfilesmedium
    fail
    Record Any Attempts to Run setseboolmedium
    fail
    Record Any Attempts to Run seunsharemedium
    fail
    Record File Deletion Events by User 5x fail
    Ensure auditd Collects File Deletion Events by User - renamemedium
    fail
    Ensure auditd Collects File Deletion Events by User - renameatmedium
    fail
    Ensure auditd Collects File Deletion Events by User - rmdirmedium
    fail
    Ensure auditd Collects File Deletion Events by User - unlinkmedium
    fail
    Ensure auditd Collects File Deletion Events by User - unlinkatmedium
    fail
    Record Unauthorized Access Attempts Events to Files (unsuccessful) 32x fail
    Record Unsuccessful Permission Changes to Files - chmodmedium
    fail
    Record Unsuccessful Ownership Changes to Files - chownmedium
    fail
    Record Unsuccessful Access Attempts to Files - creatmedium
    fail
    Record Unsuccessful Permission Changes to Files - fchmodmedium
    fail
    Record Unsuccessful Permission Changes to Files - fchmodatmedium
    fail
    Record Unsuccessful Ownership Changes to Files - fchownmedium
    fail
    Record Unsuccessful Ownership Changes to Files - fchownatmedium
    fail
    Record Unsuccessful Permission Changes to Files - fremovexattrmedium
    fail
    Record Unsuccessful Permission Changes to Files - fsetxattrmedium
    fail
    Record Unsuccessful Access Attempts to Files - ftruncatemedium
    fail
    Record Unsuccessful Ownership Changes to Files - lchownmedium
    fail
    Record Unsuccessful Permission Changes to Files - lremovexattrmedium
    fail
    Record Unsuccessful Permission Changes to Files - lsetxattrmedium
    fail
    Record Unsuccessful Access Attempts to Files - openmedium
    fail
    Record Unsuccessful Access Attempts to Files - open_by_handle_atmedium
    fail
    Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREATmedium
    fail
    Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITEmedium
    fail
    Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctlymedium
    fail
    Record Unsuccessful Creation Attempts to Files - open O_CREATmedium
    fail
    Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITEmedium
    fail
    Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctlymedium
    fail
    Record Unsuccessful Access Attempts to Files - openatmedium
    fail
    Record Unsuccessful Creation Attempts to Files - openat O_CREATmedium
    fail
    Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITEmedium
    fail
    Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctlymedium
    fail
    Record Unsuccessful Permission Changes to Files - removexattrmedium
    fail
    Record Unsuccessful Delete Attempts to Files - renamemedium
    fail
    Record Unsuccessful Delete Attempts to Files - renameatmedium
    fail
    Record Unsuccessful Permission Changes to Files - setxattrmedium
    fail
    Record Unsuccessful Access Attempts to Files - truncatemedium
    fail
    Record Unsuccessful Delete Attempts to Files - unlinkmedium
    fail
    Record Unsuccessful Delete Attempts to Files - unlinkatmedium
    fail
    Record Information on Kernel Modules Loading and Unloading 3x fail
    Ensure auditd Collects Information on Kernel Module Unloading - delete_modulemedium
    fail
    Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulemedium
    fail
    Ensure auditd Collects Information on Kernel Module Loading - init_modulemedium
    fail
    Record Attempts to Alter Logon and Logout Events - faillockmedium
    fail
    Record Attempts to Alter Logon and Logout Events - lastlogmedium
    fail
    Record Attempts to Alter Logon and Logout Events - tallylogmedium
    fail
    Record Information on the Use of Privileged Commands 22x fail
    Ensure auditd Collects Information on the Use of Privileged Commands - atmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - chagemedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - chshmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - crontabmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - mountmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - newgidmapmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - newgrpmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - newuidmapmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - passwdmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - postdropmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - postqueuemedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - pt_chownmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - sumedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - sudomedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - umountmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdmedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - userhelpermedium
    fail
    Ensure auditd Collects Information on the Use of Privileged Commands - usernetctlmedium
    fail
    Records Events that Modify Date and Time Information 5x fail
    Record attempts to alter time through adjtimexmedium
    fail
    Record Attempts to Alter Time Through clock_settimemedium
    fail
    Record attempts to alter time through settimeofdaymedium
    fail
    Record Attempts to Alter Time Through stimemedium
    fail
    Record Attempts to Alter the localtime Filemedium
    fail
    Record Events that Modify User/Group Information via open syscall - /etc/groupmedium
    fail
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/groupmedium
    fail
    Record Events that Modify User/Group Information via openat syscall - /etc/groupmedium
    fail
    Record Events that Modify User/Group Information via open syscall - /etc/gshadowmedium
    fail
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadowmedium
    fail
    Record Events that Modify User/Group Information via openat syscall - /etc/gshadowmedium
    fail
    Record Events that Modify User/Group Information via open syscall - /etc/passwdmedium
    fail
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwdmedium
    fail
    Record Events that Modify User/Group Information via openat syscall - /etc/passwdmedium
    fail
    Record Events that Modify User/Group Information via open syscall - /etc/shadowmedium
    fail
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadowmedium
    fail
    Record Events that Modify User/Group Information via openat syscall - /etc/shadowmedium
    fail
    Make the auditd Configuration Immutablemedium
    fail
    Record Events that Modify the System's Mandatory Access Controlsmedium
    fail
    Ensure auditd Collects Information on Exporting to Media (successful)medium
    fail
    Record Events that Modify the System's Network Environmentmedium
    fail
    Record Attempts to Alter Process and Session Initiation Informationmedium
    fail
    Ensure auditd Collects System Administrator Actionsmedium
    fail
    Record Events that Modify User/Group Information - /etc/groupmedium
    fail
    Record Events that Modify User/Group Information - /etc/gshadowmedium
    fail
    Record Events that Modify User/Group Information - /etc/security/opasswdmedium
    fail
    Record Events that Modify User/Group Information - /etc/passwdmedium
    fail
    Record Events that Modify User/Group Information - /etc/shadowmedium
    fail
    Record Access Events to Audit Log Directorymedium
    fail
    System Audit Logs Must Have Mode 0750 or Less Permissivemedium
    pass
    System Audit Logs Must Be Owned By Rootmedium
    pass
    System Audit Logs Must Have Mode 0640 or Less Permissivemedium
    pass
    Configure auditd Data Retention 5x fail
    Configure auditd Disk Error Action on Disk Errormedium
    fail
    Configure auditd Disk Full Action when Disk Space Is Fullmedium
    fail
    Configure auditd admin_space_left Action on Low Disk Spacemedium
    fail
    Configure auditd flush prioritymedium
    pass
    Configure auditd Max Log File Sizemedium
    pass
    Configure auditd max_log_file_action Upon Reaching Maximum Log Sizemedium
    pass
    Configure auditd Number of Logs Retainedmedium
    pass
    Configure auditd space_left on Low Disk Spacemedium
    fail
    Configure auditd space_left Action on Low Disk Spacemedium
    pass
    Set number of records to cause an explicit flush to audit logsmedium
    pass
    Include Local Events in Audit Logsmedium
    pass
    Resolve information before writing to audit logslow
    pass
    Set type of computer node name logging in audit logsmedium
    fail
    Write Audit Logs to the Diskmedium
    pass
    Ensure the audit Subsystem is Installedmedium
    pass
    Enable auditd Servicemedium
    pass
    Extend Audit Backlog Limit for the Audit Daemonmedium
    fail
    Enable Auditing for Processes Which Start Prior to the Audit Daemonmedium
    fail

    Result Details

    Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode highCCE-82540-6

    Enable FIPS Mode

    Rule IDxccdf_org.ssgproject.content_rule_enable_fips_mode
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-enable_fips_mode:def:1
    Time2025-10-23T19:33:57+00:00
    Severityhigh
    Identifiers:

    CCE-82540-6

    References:
    disaCCI-002450, CCI-000068, CCI-002418, CCI-000877
    ism1446
    nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1
    nistCM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12
    osppFCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1
    os-srgSRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176
    Description
    OpenShift has an installation-time flag that can enable FIPS mode for the cluster. The flag
    fips: true
    must be enabled at install time in the
    install-config.yaml
    file. If this rule fails on an installed cluster, then this is a permanent finding and cannot be fixed.
    Rationale
    Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
    Warnings
    warning  To configure Red Hat Enterprise Linux CoreOS 4 to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. Only enabling FIPS 140 mode during the Red Hat Enterprise Linux CoreOS 4 installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
    warning  This rule DOES NOT CHECK if the components of the operating system are FIPS certified. You can find the list of FIPS certified modules at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search. This rule checks if the system is running in FIPS mode.
    OVAL test results details

    /etc/system-fips exists  oval:ssg-test_etc_system_fips:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_etc_system_fips:obj:1 of type file_object
    Filepath
    /etc/system-fips

    kernel runtime parameter crypto.fips_enabled set to 1  oval:ssg-test_sysctl_crypto_fips_enabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_sysctl_crypto_fips_enabled:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /proc/sys/crypto/fips_enabled^1$1

    check for crypto policy correctly configured in /etc/crypto-policies/config  oval:ssg-test_configure_crypto_policy:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/crypto-policies/configDEFAULT

    check for crypto policy correctly configured in /etc/crypto-policies/state/current  oval:ssg-test_configure_crypto_policy_current:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/crypto-policies/state/currentDEFAULT

    Check if update-crypto-policies has been run  oval:ssg-test_crypto_policies_updated:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-variable_crypto_policies_config_file_timestamp:var:11761074186

    Check if /etc/crypto-policies/back-ends/nss.config exists  oval:ssg-test_crypto_policy_nss_config:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
    not evaluated/etc/crypto-policies/back-ends/nss.configsymbolic link0042rwxrwxrwx 

    tests if var_system_crypto_policy is set to FIPS  oval:ssg-test_system_crypto_policy_value:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-var_system_crypto_policy:var:1FIPS
    Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-82541-4

    Configure System Cryptography Policy

    Rule IDxccdf_org.ssgproject.content_rule_configure_crypto_policy
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-configure_crypto_policy:def:1
    Time2025-10-23T19:33:57+00:00
    Severityhigh
    Identifiers:

    CCE-82541-4

    References:
    disaCCI-000068, CCI-003123, CCI-002450, CCI-000877, CCI-002418, CCI-001453, CCI-002890
    hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii)
    ism1446
    nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1
    nistAC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3)
    osppFCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1
    os-srgSRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174
    pcidss42.2.7, 2.2
    Description
    To configure the system cryptography policy to use ciphers only from the FIPS policy, create a MachineConfig as follows:
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 50-master-configure-crypto-policy
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
            - name: configure-crypto-policy.service
              enabled: true
              contents: |
                [Unit]
                Before=kubelet.service
                [Service]
                Type=oneshot
                ExecStart=update-crypto-policies --set FIPS
                RemainAfterExit=yes
                [Install]
                WantedBy=multi-user.target
    

    This will configure the crypto policy appropriately in all the nodes labeled with the "master" role.

    Note that this needs to be done for each MachineConfigPool

    For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

    The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
    Rationale
    Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
    Warnings
    warning  The system needs to be rebooted for these changes to take effect.
    warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
            - name: configure-crypto-policy.service
              enabled: true
              contents: |
                [Unit]
                Before=kubelet.service
                [Service]
                Type=oneshot
                ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
                RemainAfterExit=yes
                [Install]
                WantedBy=multi-user.target
    
    OVAL test results details

    check for crypto policy correctly configured in /etc/crypto-policies/config  oval:ssg-test_configure_crypto_policy:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/crypto-policies/configDEFAULT

    check for crypto policy correctly configured in /etc/crypto-policies/state/current  oval:ssg-test_configure_crypto_policy_current:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/crypto-policies/state/currentDEFAULT

    Check if update-crypto-policies has been run  oval:ssg-test_crypto_policies_updated:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-variable_crypto_policies_config_file_timestamp:var:11761074186

    Check if /etc/crypto-policies/back-ends/nss.config exists  oval:ssg-test_crypto_policy_nss_config:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
    not evaluated/etc/crypto-policies/back-ends/nss.configsymbolic link0042rwxrwxrwx 
    Configure Kerberos to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy highCCE-82547-1

    Configure Kerberos to use System Crypto Policy

    Rule IDxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-configure_kerberos_crypto_policy:def:1
    Time2025-10-23T19:33:57+00:00
    Severityhigh
    Identifiers:

    CCE-82547-1

    References:
    disaCCI-000803
    ism0418, 1055, 1402
    nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1
    nistSC-13, SC-12(2), SC-12(3)
    os-srgSRG-OS-000120-GPOS-00061
    Description
    Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.
    Rationale
    Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.
    OVAL test results details

    Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file  oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1/usr/share/crypto-policies/DEFAULT/krb5.txt

    Check if kerberos configuration symlink links to the crypto-policy backend file  oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    falseoval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1/usr/share/crypto-policies/DEFAULT/krb5.txt
    Configure OpenSSL library to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy mediumCCE-82545-5

    Configure OpenSSL library to use System Crypto Policy

    Rule IDxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-configure_openssl_crypto_policy:def:1
    Time2025-10-23T19:33:57+00:00
    Severitymedium
    Identifiers:

    CCE-82545-5

    References:
    disaCCI-001453
    nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1
    nistAC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3)
    osppFCS_CKM.1, FCS_CKM.1.1, FCS_CKM.2, FCS_COP.1/ENCRYPT, FCS_COP.1/HASH, FCS_COP.1/SIGN, FCS_COP.1/KEYHMAC, FCS_TLSC_EXT.1, FCS_TLSC_EXT.1.1
    pcidssReq-2.2
    os-srgSRG-OS-000250-GPOS-00093
    Description
    Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.
    Rationale
    Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.
    OVAL test results details

    Check that the configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_openssl_crypto_policy:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/pki/tls/openssl.cnf [ crypto_policy ] .include = /etc/crypto-policies/back-ends/opensslcnf.config
    Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy medium

    Configure SSH to use System Crypto Policy

    Rule IDxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-configure_ssh_crypto_policy:def:1
    Time2025-10-23T19:33:57+00:00
    Severitymedium
    References:
    disaCCI-001453
    hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii)
    nerc-cipCIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1
    nistAC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13
    osppFCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1
    pcidssReq-2.2
    os-srgSRG-OS-000250-GPOS-00093
    pcidss42.2.7, 2.2
    Description
    Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd.
    Rationale
    Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.
    OVAL test results details

    Check that the SSH configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_ssh_crypto_policy:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/sysconfig/sshd^\s*(?i)CRYPTO_POLICY\s*=.*$1
    Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log lowCCE-82737-8

    Ensure /var/log Located On Separate Partition

    Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log
    Result
    notchecked
    Multi-check ruleno
    Time2025-10-23T19:33:57+00:00
    Severitylow
    Identifiers:

    CCE-82737-8

    References:
    cis-csc1, 12, 14, 15, 16, 3, 5, 6, 8
    cobit5APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01
    disaCCI-000366
    isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3
    nerc-cipCIP-007-3 R6.5
    nistCM-6(a), AU-4, SC-5(2)
    nist-csfPR.PT-1, PR.PT-4
    os-srgSRG-OS-000480-GPOS-00227
    anssiR28
    Description
    System logs are stored in the /var/log directory.

    Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For documentation on how to add a MachineConfig manifest that specifies a separate /var/log partition, follow: https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic

    Note that the Red Hat OpenShift documentation often references a block device, such as /dev/vda. The name of the available block devices depends on the underlying infrastructure (bare metal vs cloud), and often the specific instance type. For example in AWS, some instance types have NVMe drives (/dev/nvme*), others use /dev/xvda*. You will need to look for relevant documentation for your infrastructure around this. In many cases, the simplest thing is to boot a single machine with an Ignition configuration that just gives you SSH access, and inspect the block devices via e.g. the lsblk command. For physical hardware, a good best practice is to reference devices via the /dev/disk/by-id/ or /dev/disk/by-path links.

    Rationale
    Placing /var/log in its own partition enables better separation between log files and other files in /var/.
    Evaluation messages
    info 
    No candidate or applicable check found.
    Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-82738-6

    Ensure /var/log/audit Located On Separate Partition

    Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log_audit
    Result
    notchecked
    Multi-check ruleno
    Time2025-10-23T19:33:57+00:00
    Severitylow
    Identifiers:

    CCE-82738-6

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8
    cobit5APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01
    disaCCI-000366, CCI-001849
    hipaa164.312(a)(2)(ii)
    isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1
    nerc-cipCIP-007-3 R6.5
    nistCM-6(a), AU-4, SC-5(2)
    nist-csfPR.DS-4, PR.PT-1, PR.PT-4
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227
    app-srg-ctrSRG-APP-000357-CTR-000800, CNTR-OS-000200, CNTR-OS-000670
    anssiR71
    Description
    Audit logs are stored in the /var/log/audit directory.

    Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For documentation on how to add a MachineConfig manifest that specifies a separate /var/log/audit partition, follow: https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic

    Note that the Red Hat OpenShift documentation often references a block device, such as /dev/vda. The name of the available block devices depends on the underlying infrastructure (bare metal vs cloud), and often the specific instance type. For example in AWS, some instance types have NVMe drives (/dev/nvme*), others use /dev/xvda*. You will need to look for relevant documentation for your infrastructure around this. In many cases, the simplest thing is to boot a single machine with an Ignition configuration that just gives you SSH access, and inspect the block devices via e.g. the lsblk command. For physical hardware, a good best practice is to reference devices via the /dev/disk/by-id/ or /dev/disk/by-path links.

    Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
    Rationale
    Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
    Evaluation messages
    info 
    No candidate or applicable check found.
    Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-82523-2

    Install sudo Package

    Rule IDxccdf_org.ssgproject.content_rule_package_sudo_installed
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-package_sudo_installed:def:1
    Time2025-10-23T19:33:57+00:00
    Severitymedium
    Identifiers:

    CCE-82523-2

    References:
    disaCCI-002235
    ism1382, 1384, 1386
    nistCM-6(a)
    osppFMT_MOF_EXT.1
    os-srgSRG-OS-000324-GPOS-00125
    anssiR33
    pcidss42.2.6, 2.2
    Description
    The sudo package can be installed with the following command:
    $ sudo dnf install sudo
    Rationale
    sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.
    OVAL test results details

    package sudo is installed  oval:ssg-test_package_sudo_installed:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedsudox86_64(none)10.el9_6.21.9.5p20:1.9.5p2-10.el9_6.2199e2f91fd431d51sudo-0:1.9.5p2-10.el9_6.2.x86_64
    Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-82555-4

    Modify the System Login Banner

    Rule IDxccdf_org.ssgproject.content_rule_banner_etc_issue
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-banner_etc_issue:def:1
    Time2025-10-23T19:33:57+00:00
    Severitymedium
    Identifiers:

    CCE-82555-4

    References:
    cis-csc1, 12, 15, 16
    cobit5DSS05.04, DSS05.10, DSS06.10
    cui3.1.9
    disaCCI-001387, CCI-001384, CCI-000048, CCI-001386, CCI-001388, CCI-001385
    isa-62443-20094.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
    isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9
    iso27001-2013A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
    nistAC-8(a), AC-8(c)
    nist-csfPR.AC-7
    os-srgSRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
    Description
    To configure the system login banner create a file under /etc/issue.d The Machine Configuration provided with this rule is generic. You may need to adjust it accordingly to fit your usecase. The DoD required text is either:

    You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
    -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
    -At any time, the USG may inspect and seize data stored on this IS.
    -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
    -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
    -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


    OR:

    I've read & consent to terms in IS user agreem't.

    To address this, please create a MachineConfig object with the appropriate text in a drop-in file in /etc/issue.d/. You can also use the supplied remediation, which will be available based on scan results using `oc get remediations`. The default remediation is opinionated and you may need to adjust the MachineConfig accordingly for your use case. Do not try to edit /etc/issue directly as this is a symlink provided by the Operating System.

    For example, if you're using the DoD required text, the manifest would look as follows:

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-etc-issue
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,You%20are%20accessing%20a%20U.S.%20Government%20%28USG%29%20Information%20System%20%28IS%29%20that%20is%20%0Aprovided%20for%20USG-authorized%20use%20only.%20By%20using%20this%20IS%20%28which%20includes%20any%20%0Adevice%20attached%20to%20this%20IS%29%2C%20you%20consent%20to%20the%20following%20conditions%3A%0A%0A-The%20USG%20routinely%20intercepts%20and%20monitors%20communications%20on%20this%20IS%20for%20%0Apurposes%20including%2C%20but%20not%20limited%20to%2C%20penetration%20testing%2C%20COMSEC%20monitoring%2C%20%0Anetwork%20operations%20and%20defense%2C%20personnel%20misconduct%20%28PM%29%2C%20law%20enforcement%20%0A%28LE%29%2C%20and%20counterintelligence%20%28CI%29%20investigations.%0A%0A-At%20any%20time%2C%20the%20USG%20may%20inspect%20and%20seize%20data%20stored%20on%20this%20IS.%0A%0A-Communications%20using%2C%20or%20data%20stored%20on%2C%20this%20IS%20are%20not%20private%2C%20are%20subject%20%0Ato%20routine%20monitoring%2C%20interception%2C%20and%20search%2C%20and%20may%20be%20disclosed%20or%20used%20%0Afor%20any%20USG-authorized%20purpose.%0A%0A-This%20IS%20includes%20security%20measures%20%28e.g.%2C%20authentication%20and%20access%20controls%29%20%0Ato%20protect%20USG%20interests--not%20for%20your%20personal%20benefit%20or%20privacy.%0A%0A-Notwithstanding%20the%20above%2C%20using%20this%20IS%20does%20not%20constitute%20consent%20to%20PM%2C%20LE%20%0Aor%20CI%20investigative%20searching%20or%20monitoring%20of%20the%20content%20of%20privileged%20%0Acommunications%2C%20or%20work%20product%2C%20related%20to%20personal%20representation%20or%20services%20%0Aby%20attorneys%2C%20psychotherapists%2C%20or%20clergy%2C%20and%20their%20assistants.%20Such%20%0Acommunications%20and%20work%20product%20are%20private%20and%20confidential.%20See%20User%20%0AAgreement%20for%20details.
            mode: 0644
            path: /etc/issue.d/legal-notice
            overwrite: true
    

    Note that this needs to be done for each MachineConfigPool

    For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

    Rationale
    Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

    System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
        machineconfiguration.openshift.io/role: worker
      name: 75-banner-etc-issue
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,You%20are%20accessing%20a%20U.S.%20Government%20%28USG%29%20Information%20System%20%28IS%29%20that%20is%20%0Aprovided%20for%20USG-authorized%20use%20only.%20By%20using%20this%20IS%20%28which%20includes%20any%20%0Adevice%20attached%20to%20this%20IS%29%2C%20you%20consent%20to%20the%20following%20conditions%3A%0A%0A-The%20USG%20routinely%20intercepts%20and%20monitors%20communications%20on%20this%20IS%20for%20%0Apurposes%20including%2C%20but%20not%20limited%20to%2C%20penetration%20testing%2C%20COMSEC%20monitoring%2C%20%0Anetwork%20operations%20and%20defense%2C%20personnel%20misconduct%20%28PM%29%2C%20law%20enforcement%20%0A%28LE%29%2C%20and%20counterintelligence%20%28CI%29%20investigations.%0A%0A-At%20any%20time%2C%20the%20USG%20may%20inspect%20and%20seize%20data%20stored%20on%20this%20IS.%0A%0A-Communications%20using%2C%20or%20data%20stored%20on%2C%20this%20IS%20are%20not%20private%2C%20are%20subject%20%0Ato%20routine%20monitoring%2C%20interception%2C%20and%20search%2C%20and%20may%20be%20disclosed%20or%20used%20%0Afor%20any%20USG-authorized%20purpose.%0A%0A-This%20IS%20includes%20security%20measures%20%28e.g.%2C%20authentication%20and%20access%20controls%29%20%0Ato%20protect%20USG%20interests--not%20for%20your%20personal%20benefit%20or%20privacy.%0A%0A-Notwithstanding%20the%20above%2C%20using%20this%20IS%20does%20not%20constitute%20consent%20to%20PM%2C%20LE%20%0Aor%20CI%20investigative%20searching%20or%20monitoring%20of%20the%20content%20of%20privileged%20%0Acommunications%2C%20or%20work%20product%2C%20related%20to%20personal%20representation%20or%20services%20%0Aby%20attorneys%2C%20psychotherapists%2C%20or%20clergy%2C%20and%20their%20assistants.%20Such%20%0Acommunications%20and%20work%20product%20are%20private%20and%20confidential.%20See%20User%20%0AAgreement%20for%20details.
            mode: 0644
            path: /etc/issue.d/legal-notice
            overwrite: true
    
    OVAL test results details

    correct banner in /etc/issue  oval:ssg-test_banner_etc_issue:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/issue.d/21_clhm_ssh_host_keys.issueSSH host key: SHA256:ymI3nRAhQu/SC0DhftaobNkq0FSAAshXys24rlD2IpY (ED25519) SSH host key: SHA256:PaH6RyAPU9QxEjKlJzQ1eXrumgB1phSxsqSkSRmg10k (ECDSA) SSH host key: SHA256:JAEcpyMoW1UALCWVItU63sfLBYNk8HJtwiH1ZCoO4Ko (RSA)
    false/etc/issue.d/22_clhm_enp126s0.issueenp126s0: \4{enp126s0} \6{enp126s0}
    false/etc/issue\S Kernel \r on an \m
    Prevent user from disabling the screen lockxccdf_org.ssgproject.content_rule_no_tmux_in_shells low

    Prevent user from disabling the screen lock

    Rule IDxccdf_org.ssgproject.content_rule_no_tmux_in_shells
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-no_tmux_in_shells:def:1
    Time2025-10-23T19:34:00+00:00
    Severitylow
    References:
    disaCCI-002235, CCI-000056
    nistCM-6
    osppFMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1
    os-srgSRG-OS-000324-GPOS-00125, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
    Description
    The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells.
    Rationale
    Not listing tmux among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,/bin/sh%0A/bin/bash%0A/usr/bin/sh%0A/usr/bin/bash%0A
            mode: 0644
            path: /etc/shells
            overwrite: true
    
    OVAL test results details

    check that tmux is not listed in /etc/shells  oval:ssg-test_no_tmux_in_shells:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/shellstmux
    Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-82496-1

    Disable debug-shell SystemD Service

    Rule IDxccdf_org.ssgproject.content_rule_service_debug-shell_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-service_debug-shell_disabled:def:1
    Time2025-10-23T19:34:00+00:00
    Severitymedium
    Identifiers:

    CCE-82496-1

    References:
    cui3.4.5
    disaCCI-000366, CCI-002235
    hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
    nistCM-6
    osppFIA_UAU.1
    os-srgSRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
    Description
    SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

    By default, the debug-shell SystemD service is already disabled. The debug-shell service can be disabled with the following manifest:
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-debug-shell-disable
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
          - name: debug-shell.service
            enabled: false
            mask: true
          - name: debug-shell.socket
            enabled: false
            mask: true
    

    This will disable the debug-shell service in all the nodes labeled with the "master" role.

    Note that this needs to be done for each MachineConfigPool

    For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

    Rationale
    This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
          - name: debug-shell.service
            enabled: false
            mask: true
          - name: debug-shell.socket
            enabled: false
            mask: true
    

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
          - name: debug-shell.service
            enabled: false
            mask: true
          - name: debug-shell.socket
            enabled: false
            mask: true
    
    OVAL test results details

    package systemd is removed  oval:ssg-service_debug-shell_disabled_test_service_debug-shell_package_systemd_removed:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedsystemdx86_64(none)51.el9_6.22520:252-51.el9_6.2199e2f91fd431d51systemd-0:252-51.el9_6.2.x86_64

    Test that the debug-shell service is not running  oval:ssg-test_service_not_running_service_debug-shell_disabled_debug-shell:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonUnitPropertyValue
    truedebug-shell.serviceActiveStateinactive

    Test that the property LoadState from the service debug-shell is masked  oval:ssg-test_service_loadstate_is_masked_service_debug-shell_disabled_debug-shell:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonUnitPropertyValue
    falsedebug-shell.serviceLoadStateloaded
    Verify that Interactive Boot is Disabledxccdf_org.ssgproject.content_rule_coreos_disable_interactive_boot mediumCCE-83548-8

    Verify that Interactive Boot is Disabled

    Rule IDxccdf_org.ssgproject.content_rule_coreos_disable_interactive_boot
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-coreos_disable_interactive_boot:def:1
    Time2025-10-23T19:34:00+00:00
    Severitymedium
    Identifiers:

    CCE-83548-8

    References:
    cis-csc11, 12, 14, 15, 16, 18, 3, 5
    cobit5DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06
    cui3.1.2, 3.4.5
    disaCCI-000213
    hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
    iso27001-2013A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nistSC-2(1), CM-6(a)
    nist-csfPR.AC-4, PR.AC-6, PR.PT-3
    os-srgSRG-OS-000480-GPOS-00227
    Description
    Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux CoreOS 4 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument.
    Rationale
    Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.
    OVAL test results details

    Check if /boot/loader/entries/ostree-2.*.conf does not exist  oval:ssg-test_coreos_disable_interactive_boot_file_boot_loader_entries_ostree_2_conf_absent:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_disable_interactive_boot_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type file_object
    Filepath
    ^/boot/loader/entries/ostree-2.*.conf

    Check if argument systemd.confirm_spawn=(?:1|yes|true|on) is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf  oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_1_conf:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/boot/loader/entries/ostree-1.confoptions rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0

    Check if argument systemd.confirm_spawn=(?:1|yes|true|on) is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf  oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_2_conf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/boot/loader/entries/ostree-2.*.conf^options (.*)$1

    Check if argument systemd.confirm_spawn=(?:1|yes|true|on) is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline  oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_proc_cmdline:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/proc/cmdlineBOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0
    Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-82495-3

    Disable Ctrl-Alt-Del Burst Action

    Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-disable_ctrlaltdel_burstaction:def:1
    Time2025-10-23T19:34:00+00:00
    Severityhigh
    Identifiers:

    CCE-82495-3

    References:
    cis-csc12, 13, 14, 15, 16, 18, 3, 5
    cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
    cui3.4.5
    disaCCI-000366, CCI-002235
    hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
    isa-62443-20094.3.3.7.3
    isa-62443-2013SR 2.1, SR 5.2
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
    nistCM-6(a), AC-6(1), CM-6(a)
    nist-csfPR.AC-4, PR.DS-5
    osppFAU_GEN.1.2
    os-srgSRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
    Description
    By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

    To configure the system to ignore the CtrlAltDelBurstAction setting, create a MachineConfig similar to the following:
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-disable-ctrlaltdel-burstaction
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,CtrlAltDelBurstAction%3Dnone
            mode: 0644
            path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
            overwrite: true
    EOF
    

    This will add the relevant configuration to /etc/systemd/system.conf.d/, thus configuring Systemd apropriately.

    Note that this needs to be done for each MachineConfigPool

    For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

    Rationale
    A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.
    Warnings
    warning  Disabling the Ctrl-Alt-Del key sequence in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The Ctrl-Alt-Del key sequence will only be disabled if running in the non-graphical runlevel 3.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,CtrlAltDelBurstAction%3Dnone
            mode: 0644
            path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
            overwrite: true
    
    OVAL test results details

    check if CtrlAltDelBurstAction is set to none  oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/systemd/system.conf(\.d/.*\.conf)?$^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$1
    Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-82493-8

    Disable Ctrl-Alt-Del Reboot Activation

    Rule IDxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-disable_ctrlaltdel_reboot:def:1
    Time2025-10-23T19:34:00+00:00
    Severityhigh
    Identifiers:

    CCE-82493-8

    References:
    cis-csc12, 13, 14, 15, 16, 18, 3, 5
    cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
    cui3.4.5
    disaCCI-000366, CCI-002235
    hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
    isa-62443-20094.3.3.7.3
    isa-62443-2013SR 2.1, SR 5.2
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
    nistCM-6(a), AC-6(1)
    nist-csfPR.AC-4, PR.DS-5
    osppFAU_GEN.1.2
    os-srgSRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
    Description
    By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

    To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, create a MachineConfig similar to the following:
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-disable-ctrlaltdel-reboot
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
          - name: ctrl-alt-del.target
            mask: true
    EOF
    

    This will mask the ctrl-alt-del.target systemd target for all the nodes labeled with the "master" role.

    Note that this needs to be done for each MachineConfigPool

    For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

    Rationale
    A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
          - name: ctrl-alt-del.target
            mask: true
    
    OVAL test results details

    Disable Ctrl-Alt-Del key sequence override exists  oval:ssg-test_disable_ctrlaltdel_exists:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonFilepathCanonical path
    false/etc/systemd/system/ctrl-alt-del.target/usr/lib/systemd/system/reboot.target
    Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-82550-5

    Require Authentication for Single User Mode

    Rule IDxccdf_org.ssgproject.content_rule_require_singleuser_auth
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-require_singleuser_auth:def:1
    Time2025-10-23T19:34:00+00:00
    Severitymedium
    Identifiers:

    CCE-82550-5

    References:
    cis-csc1, 11, 12, 14, 15, 16, 18, 3, 5
    cobit5DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10
    cui3.1.1, 3.4.5
    disaCCI-000213
    hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
    ism0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561
    iso27001-2013A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
    nistIA-2, AC-3, CM-6(a)
    nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3
    osppFIA_UAU.1
    os-srgSRG-OS-000080-GPOS-00048
    Description
    Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup.

    By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.
    Rationale
    This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
    OVAL test results details

    Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode  oval:ssg-test_require_rescue_service_distro:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/usr/lib/systemd/system/rescue.serviceExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

    Check that there is no override file for rescue.service with Execstart - directive  oval:ssg-test_rescue_service_not_overridden:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_require_rescue_service_override:obj:1 of type textfilecontent54_object
    BehaviorsPathFilenamePatternInstance
    no value/etc/systemd/system/rescue.service.d^.*\.conf$^.*ExecStart\s?=\s+.*ExecStart\s?=\s?\-?(.*)$1

    Tests that/usr/lib/systemd/systemd-sulogin-shell is defined in /etc/systemd/system/rescue.service.d/*.conf  oval:ssg-test_require_rescue_service_override:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_require_rescue_service_override:obj:1 of type textfilecontent54_object
    BehaviorsPathFilenamePatternInstance
    no value/etc/systemd/system/rescue.service.d^.*\.conf$^.*ExecStart\s?=\s+.*ExecStart\s?=\s?\-?(.*)$1

    Tests that the systemd rescue.service is in the runlevel1.target  oval:ssg-test_require_rescue_service_runlevel1:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/runlevel1.targetRequires=sysinit.target rescue.service

    look for runlevel1.target in /etc/systemd/system  oval:ssg-test_no_custom_runlevel1_target:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type file_object
    BehaviorsPathFilename
    no value/etc/systemd/system^runlevel1.target$

    look for rescue.service in /etc/systemd/system  oval:ssg-test_no_custom_rescue_service:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_no_custom_rescue_service:obj:1 of type file_object
    BehaviorsPathFilename
    no value/etc/systemd/system^rescue.service$
    Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-82553-9

    Prevent Login to Accounts With Empty Password

    Rule IDxccdf_org.ssgproject.content_rule_no_empty_passwords
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-no_empty_passwords:def:1
    Time2025-10-23T19:34:00+00:00
    Severityhigh
    Identifiers:

    CCE-82553-9

    References:
    cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5
    cjis5.5.2
    cobit5APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10
    cui3.1.1, 3.1.5
    disaCCI-000366
    hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nistIA-5(1)(a), IA-5(c), CM-6(a)
    nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5
    osppFIA_UAU.1
    pcidssReq-8.2.3
    os-srgSRG-OS-000480-GPOS-00227
    pcidss48.3.1, 8.3
    Description
    If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in /etc/pam.d/system-auth and /etc/pam.d/password-auth to prevent logins with empty passwords.
    Rationale
    If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
    Warnings
    warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
            mode: 0644
            path: /etc/pam.d/password-auth
            overwrite: true
          - contents:
              source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
            mode: 0644
            path: /etc/pam.d/system-auth
            overwrite: true
    
    OVAL test results details

    make sure nullok is not used in /etc/pam.d/system-auth  oval:ssg-test_no_empty_passwords:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/pam.d/password-authauth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow nullok use_authtok
    not evaluated/etc/pam.d/system-authauth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow nullok use_authtok
    Verify No netrc Files Existxccdf_org.ssgproject.content_rule_no_netrc_files mediumCCE-82667-7

    Verify No netrc Files Exist

    Rule IDxccdf_org.ssgproject.content_rule_no_netrc_files
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-no_netrc_files:def:1
    Time2025-10-23T19:34:00+00:00
    Severitymedium
    Identifiers:

    CCE-82667-7

    References:
    cis-csc1, 11, 12, 14, 15, 16, 18, 3, 5
    cobit5DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10
    disaCCI-000196
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
    iso27001-2013A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
    nistIA-5(h), IA-5(1)(c), CM-6(a), IA-5(7)
    nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3
    Description
    The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed.
    Rationale
    Unencrypted passwords for remote FTP servers may be stored in .netrc files.
    OVAL test results details

    look for .netrc in /home  oval:ssg-test_no_netrc_files_home:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_no_netrc_files_home:obj:1 of type file_object
    BehaviorsPathFilename
    no value/home^\.netrc$
    Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-82699-0

    Verify Only Root Has UID 0

    Rule IDxccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-accounts_no_uid_except_zero:def:1
    Time2025-10-23T19:34:00+00:00
    Severityhigh
    Identifiers:

    CCE-82699-0

    References:
    cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5
    cobit5APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10
    cui3.1.1, 3.1.5
    disaCCI-000366
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
    nistIA-2, AC-6(5), IA-4(b)
    nist-csfPR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5
    pcidssReq-8.5
    os-srgSRG-OS-000480-GPOS-00227
    pcidss48.2.1, 8.2
    Description
    If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
    If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
    Rationale
    An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
    OVAL test results details

    test that there are no accounts with UID 0 except root in the /etc/passwd file  oval:ssg-test_accounts_no_uid_except_root:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/passwd^(?!root:)[^:]*:[^:]*:01
    Direct root Logins Not Allowedxccdf_org.ssgproject.content_rule_no_direct_root_logins mediumCCE-82698-2

    Direct root Logins Not Allowed

    Rule IDxccdf_org.ssgproject.content_rule_no_direct_root_logins
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-no_direct_root_logins:def:1
    Time2025-10-23T19:34:00+00:00
    Severitymedium
    Identifiers:

    CCE-82698-2

    References:
    cis-csc1, 12, 15, 16, 5
    cobit5DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
    cui3.1.1, 3.1.6
    hipaa164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1
    iso27001-2013A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
    nistIA-2, CM-6(a)
    nist-csfPR.AC-1, PR.AC-6, PR.AC-7
    anssiR33
    pcidss48.6.1, 8.6
    Description
    To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enterprise Linux CoreOS 4's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command:
    $ sudo echo > /etc/securetty
    
    Rationale
    Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems.
    Warnings
    warning  This rule only checks the /etc/securetty file existence and its content. If you need to restrict user access using the /etc/securetty file, make sure the pam_securetty.so PAM module is properly enabled in relevant PAM files.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,
            mode: 0600
            path: /etc/securetty
            overwrite: true
    
    OVAL test results details

    no entries in /etc/securetty  oval:ssg-test_no_direct_root_logins:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_no_direct_root_logins:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/securetty^$1

    /etc/securetty file exists  oval:ssg-test_etc_securetty_exists:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_etc_securetty_exists:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/securetty^.*$1
    Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts mediumCCE-82697-4

    Ensure that System Accounts Do Not Run a Shell Upon Login

    Rule IDxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-no_shelllogin_for_systemaccounts:def:1
    Time2025-10-23T19:34:00+00:00
    Severitymedium
    Identifiers:

    CCE-82697-4

    References:
    cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8
    cobit5DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03
    disaCCI-000366
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2
    ism1491
    iso27001-2013A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nistAC-6, CM-6(a), CM-6(b), CM-6.1(iv)
    nist-csfDE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6
    os-srgSRG-OS-000480-GPOS-00227
    pcidss48.2.2, 8.2
    Description
    Some accounts are not associated with a human user of the system, and exist to perform some administrative functions. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

    The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account other than root has a login shell, disable it with the command:
    $ sudo usermod -s /sbin/nologin account
             
    Rationale
    Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
    Warnings
    warning  Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.
    OVAL test results details

    SYS_UID_MIN not defined in /etc/login.defs  oval:ssg-test_sys_uid_min_not_defined:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enforce a minimum delay (e.g. # pam_unix(8) enforces a 2s delay) # #FAIL_DELAY 3 # Currently FAILLOG_ENAB is not supported # # Enable display of unknown usernames when login(1) failures are recorded. # #LOG_UNKFAIL_ENAB no # Currently LOG_OK_LOGINS is not supported # Currently LASTLOG_ENAB is not supported # # Limit the highest user ID number for which the lastlog entries should # be updated. # # No LASTLOG_UID_MAX means that there is no user ID limit for writing # lastlog entries. # #LASTLOG_UID_MAX # Currently MAIL_CHECK_ENAB is not supported # Currently OBSCURE_CHECKS_ENAB is not supported # Currently PORTTIME_CHECKS_ENAB is not supported # Currently QUOTAS_ENAB is not supported # Currently SYSLOG_SU_ENAB is not supported # # Enable "syslog" logging of newgrp(1) and sg(1) activity. # #SYSLOG_SG_ENAB yes # Currently CONSOLE is not supported # Currently SULOG_FILE is not supported # Currently MOTD_FILE is not supported # Currently ISSUE_FILE is not supported # Currently TTYTYPE_FILE is not supported # Currently FTMP_FILE is not supported # Currently NOLOGINS_FILE is not supported # Currently SU_NAME is not supported # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # MAIL_DIR /var/spool/mail #MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # #HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # Currently ENV_TZ is not supported # Currently ENV_HZ is not supported # # The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) #ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin #ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a write(1) program which is "setgid" to a special group # which owns the terminals, define TTYGROUP as the number of such group # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and # set TTYPERM to either 622 or 600. # #TTYGROUP tty #TTYPERM 0600 # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 # Currently PASS_MIN_LEN is not supported # Currently SU_WHEEL_ONLY is not supported # Currently CRACKLIB_DICTPATH is not supported # # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

    SYS_UID_MAX not defined in /etc/login.defs  oval:ssg-test_sys_uid_max_not_defined:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enforce a minimum delay (e.g. # pam_unix(8) enforces a 2s delay) # #FAIL_DELAY 3 # Currently FAILLOG_ENAB is not supported # # Enable display of unknown usernames when login(1) failures are recorded. # #LOG_UNKFAIL_ENAB no # Currently LOG_OK_LOGINS is not supported # Currently LASTLOG_ENAB is not supported # # Limit the highest user ID number for which the lastlog entries should # be updated. # # No LASTLOG_UID_MAX means that there is no user ID limit for writing # lastlog entries. # #LASTLOG_UID_MAX # Currently MAIL_CHECK_ENAB is not supported # Currently OBSCURE_CHECKS_ENAB is not supported # Currently PORTTIME_CHECKS_ENAB is not supported # Currently QUOTAS_ENAB is not supported # Currently SYSLOG_SU_ENAB is not supported # # Enable "syslog" logging of newgrp(1) and sg(1) activity. # #SYSLOG_SG_ENAB yes # Currently CONSOLE is not supported # Currently SULOG_FILE is not supported # Currently MOTD_FILE is not supported # Currently ISSUE_FILE is not supported # Currently TTYTYPE_FILE is not supported # Currently FTMP_FILE is not supported # Currently NOLOGINS_FILE is not supported # Currently SU_NAME is not supported # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # MAIL_DIR /var/spool/mail #MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # #HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # Currently ENV_TZ is not supported # Currently ENV_HZ is not supported # # The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) #ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin #ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a write(1) program which is "setgid" to a special group # which owns the terminals, define TTYGROUP as the number of such group # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and # set TTYPERM to either 622 or 600. # #TTYGROUP tty #TTYPERM 0600 # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 # Currently PASS_MIN_LEN is not supported # Currently SU_WHEEL_ONLY is not supported # Currently CRACKLIB_DICTPATH is not supported # # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

    <0, UID_MIN - 1> system UIDs having shell set  oval:ssg-test_shell_defined_default_uid_range:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/passwdcore:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash

    SYS_UID_MIN not defined in /etc/login.defs  oval:ssg-test_sys_uid_min_not_defined:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enforce a minimum delay (e.g. # pam_unix(8) enforces a 2s delay) # #FAIL_DELAY 3 # Currently FAILLOG_ENAB is not supported # # Enable display of unknown usernames when login(1) failures are recorded. # #LOG_UNKFAIL_ENAB no # Currently LOG_OK_LOGINS is not supported # Currently LASTLOG_ENAB is not supported # # Limit the highest user ID number for which the lastlog entries should # be updated. # # No LASTLOG_UID_MAX means that there is no user ID limit for writing # lastlog entries. # #LASTLOG_UID_MAX # Currently MAIL_CHECK_ENAB is not supported # Currently OBSCURE_CHECKS_ENAB is not supported # Currently PORTTIME_CHECKS_ENAB is not supported # Currently QUOTAS_ENAB is not supported # Currently SYSLOG_SU_ENAB is not supported # # Enable "syslog" logging of newgrp(1) and sg(1) activity. # #SYSLOG_SG_ENAB yes # Currently CONSOLE is not supported # Currently SULOG_FILE is not supported # Currently MOTD_FILE is not supported # Currently ISSUE_FILE is not supported # Currently TTYTYPE_FILE is not supported # Currently FTMP_FILE is not supported # Currently NOLOGINS_FILE is not supported # Currently SU_NAME is not supported # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # MAIL_DIR /var/spool/mail #MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # #HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # Currently ENV_TZ is not supported # Currently ENV_HZ is not supported # # The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) #ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin #ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a write(1) program which is "setgid" to a special group # which owns the terminals, define TTYGROUP as the number of such group # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and # set TTYPERM to either 622 or 600. # #TTYGROUP tty #TTYPERM 0600 # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 # Currently PASS_MIN_LEN is not supported # Currently SU_WHEEL_ONLY is not supported # Currently CRACKLIB_DICTPATH is not supported # # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

    SYS_UID_MAX not defined in /etc/login.defs  oval:ssg-test_sys_uid_max_not_defined:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # # Delay in seconds before being allowed another attempt after a login failure # Note: When PAM is used, some modules may enforce a minimum delay (e.g. # pam_unix(8) enforces a 2s delay) # #FAIL_DELAY 3 # Currently FAILLOG_ENAB is not supported # # Enable display of unknown usernames when login(1) failures are recorded. # #LOG_UNKFAIL_ENAB no # Currently LOG_OK_LOGINS is not supported # Currently LASTLOG_ENAB is not supported # # Limit the highest user ID number for which the lastlog entries should # be updated. # # No LASTLOG_UID_MAX means that there is no user ID limit for writing # lastlog entries. # #LASTLOG_UID_MAX # Currently MAIL_CHECK_ENAB is not supported # Currently OBSCURE_CHECKS_ENAB is not supported # Currently PORTTIME_CHECKS_ENAB is not supported # Currently QUOTAS_ENAB is not supported # Currently SYSLOG_SU_ENAB is not supported # # Enable "syslog" logging of newgrp(1) and sg(1) activity. # #SYSLOG_SG_ENAB yes # Currently CONSOLE is not supported # Currently SULOG_FILE is not supported # Currently MOTD_FILE is not supported # Currently ISSUE_FILE is not supported # Currently TTYTYPE_FILE is not supported # Currently FTMP_FILE is not supported # Currently NOLOGINS_FILE is not supported # Currently SU_NAME is not supported # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # MAIL_DIR /var/spool/mail #MAIL_FILE .mail # # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # #HUSHLOGIN_FILE .hushlogin #HUSHLOGIN_FILE /etc/hushlogins # Currently ENV_TZ is not supported # Currently ENV_HZ is not supported # # The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) #ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin #ENV_PATH PATH=/bin:/usr/bin # # Terminal permissions # # TTYGROUP Login tty will be assigned this group ownership. # TTYPERM Login tty will be set to this permission. # # If you have a write(1) program which is "setgid" to a special group # which owns the terminals, define TTYGROUP as the number of such group # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and # set TTYPERM to either 622 or 600. # #TTYGROUP tty #TTYPERM 0600 # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 # Currently PASS_MIN_LEN is not supported # Currently SU_WHEEL_ONLY is not supported # Currently CRACKLIB_DICTPATH is not supported # # Min/max values for automatic uid selection in useradd(8) # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

    <0, SYS_UID_MIN> system UIDs having shell set  oval:ssg-test_shell_defined_reserved_uid_range:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/passwdcore:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash

    <SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set  oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/passwdcore:x:1000:1000:CoreOS Admin:/var/home/core:/bin/bash
    Enable Kernel Page-Table Isolation (KPTI)xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument highCCE-82497-9

    Enable Kernel Page-Table Isolation (KPTI)

    Rule IDxccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-coreos_pti_kernel_argument:def:1
    Time2025-10-23T19:34:00+00:00
    Severityhigh
    Identifiers:

    CCE-82497-9

    References:
    nistSI-16
    os-srgSRG-OS-000433-GPOS-00193
    Description
    To enable Kernel page-table isolation, add the argument pti=on to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.
    Rationale
    Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:restrict
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
      kernelArguments:
        - pti=on
    
    OVAL test results details

    Check if /boot/loader/entries/ostree-2.*.conf does not exist  oval:ssg-test_coreos_pti_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_pti_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type file_object
    Filepath
    ^/boot/loader/entries/ostree-2.*.conf

    Check if argument pti=on is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf  oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_1_conf:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/boot/loader/entries/ostree-1.confoptions rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0

    Check if argument pti=on is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf  oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_2_conf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/boot/loader/entries/ostree-2.*.conf^options (.*)$1

    Check if argument pti=on is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline  oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_proc_cmdline:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/proc/cmdlineBOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0
    Disable vsyscallsxccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument mediumCCE-82674-3

    Disable vsyscalls

    Rule IDxccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-coreos_vsyscall_kernel_argument:def:1
    Time2025-10-23T19:34:00+00:00
    Severitymedium
    Identifiers:

    CCE-82674-3

    References:
    nistCM-7(a)
    os-srgSRG-OS-000480-GPOS-00227
    app-srg-ctrSRG-APP-000243-CTR-000600, CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610
    Description
    To disable use of virtual syscalls, add the argument vsyscall=none to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.
    Rationale
    Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:restrict
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
      kernelArguments:
        - vsyscall=none
    
    OVAL test results details

    Check if /boot/loader/entries/ostree-2.*.conf does not exist  oval:ssg-test_coreos_vsyscall_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_vsyscall_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type file_object
    Filepath
    ^/boot/loader/entries/ostree-2.*.conf

    Check if argument vsyscall=none is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf  oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_1_conf:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/boot/loader/entries/ostree-1.confoptions rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0

    Check if argument vsyscall=none is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf  oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_2_conf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/boot/loader/entries/ostree-2.*.conf^options (.*)$1

    Check if argument vsyscall=none is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline  oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_proc_cmdline:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/proc/cmdlineBOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0
    Ensure Logrotate Runs Periodicallyxccdf_org.ssgproject.content_rule_ensure_logrotate_activated mediumCCE-82689-1

    Ensure Logrotate Runs Periodically

    Rule IDxccdf_org.ssgproject.content_rule_ensure_logrotate_activated
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-ensure_logrotate_activated:def:1
    Time2025-10-23T19:34:00+00:00
    Severitymedium
    Identifiers:

    CCE-82689-1

    References:
    cis-csc1, 14, 15, 16, 3, 5, 6
    cobit5APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
    disaCCI-000366
    isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
    nistCM-6(a)
    nist-csfPR.PT-1
    pcidssReq-10.7
    anssiR71
    Description
    The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task or a timer. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf:
    # rotate log files frequency
    daily
    Rationale
    Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%20see%20%22man%20logrotate%22%20for%20details%0A%23%20rotate%20log%20files%20daily%0Adaily%0A%0A%23%20keep%204%20weeks%20worth%20of%20backlogs%0Arotate%2030%0A%0A%23%20create%20new%20%28empty%29%20log%20files%20after%20rotating%20old%20ones%0Acreate%0A%0A%23%20use%20date%20as%20a%20suffix%20of%20the%20rotated%20file%0Adateext%0A%0A%23%20uncomment%20this%20if%20you%20want%20your%20log%20files%20compressed%0A%23compress%0A%0A%23%20RPM%20packages%20drop%20log%20rotation%20information%20into%20this%20directory%0Ainclude%20/etc/logrotate.d%0A%0A%23%20system-specific%20logs%20may%20be%20also%20be%20configured%20here. }}
            mode: 0644
            path: /etc/logrotate.conf
            overwrite: true
    
    OVAL test results details

    package logrotate is installed  oval:ssg-test_package_logrotate_installed:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedlogrotatex86_64(none)9.el93.18.00:3.18.0-9.el9199e2f91fd431d51logrotate-0:3.18.0-9.el9.x86_64

    Tests the presence of daily setting in /etc/logrotate.conf file  oval:ssg-test_logrotate_conf_daily_setting:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_logrotate_conf_daily_setting:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/logrotate.conf^\s*daily[\s#]*$1

    Test if there is no weekly/monthly/yearly keyword  oval:ssg-test_logrotate_conf_no_other_keyword:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/logrotate.confweekly

    Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)  oval:ssg-test_cron_daily_logrotate_existence:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_cron_daily_logrotate_existence:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/cron.daily/logrotate^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$1

    look for logrotate.timer in multi-user.target.wants and timers.target.wants  oval:ssg-test_logrotate_enabled_systemd_target:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
    not evaluated/etc/systemd/system/timers.target.wants/logrotate.timersymbolic link0039rwxrwxrwx 
    Install iptables-nft Packagexccdf_org.ssgproject.content_rule_package_iptables-nft_installed mediumCCE-86834-9

    Install iptables-nft Package

    Rule IDxccdf_org.ssgproject.content_rule_package_iptables-nft_installed
    Result
    notapplicable
    Multi-check ruleno
    Time2025-10-23T19:34:00+00:00
    Severitymedium
    Identifiers:

    CCE-86834-9

    References:
    nistCM-6(a)
    Description
    The iptables-nft package can be installed with the following command:
    $ sudo dnf install iptables-nft
    Rationale
    iptables-nft controls the Linux kernel network packet filtering code. iptables-nft allows system operators to set up firewalls and IP masquerading, etc.
    Install iptables Packagexccdf_org.ssgproject.content_rule_package_iptables_installed mediumCCE-82522-4

    Install iptables Package

    Rule IDxccdf_org.ssgproject.content_rule_package_iptables_installed
    Result
    notapplicable
    Multi-check ruleno
    Time2025-10-23T19:34:04+00:00
    Severitymedium
    Identifiers:

    CCE-82522-4

    References:
    nistCM-6(a)
    pcidssReq-1.4.1
    os-srgSRG-OS-000480-GPOS-00227
    Description
    The iptables package can be installed with the following command:
    $ sudo dnf install iptables
    Rationale
    iptables controls the Linux kernel network packet filtering code. iptables allows system operators to set up firewalls and IP masquerading, etc.
    Configure Accepting Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra mediumCCE-82467-2

    Configure Accepting Router Advertisements on All IPv6 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1
    Time2025-10-23T19:34:16+00:00
    Severitymedium
    Identifiers:

    CCE-82467-2

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    os-srgSRG-OS-000480-GPOS-00227
    Description
    To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv6.conf.all.accept_ra = 0
    Rationale
    An illicit router advertisement message could result in a man-in-the-middle attack.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv6.conf.all.accept_ra%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_ra.conf
            overwrite: true
    
    OVAL test results details

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv6.conf.all.disable_ipv60

    net.ipv6.conf.all.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1

    net.ipv6.conf.all.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1

    net.ipv6.conf.all.accept_ra static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv6.conf.all.accept_ra1
    Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-82471-4

    Disable Accepting ICMP Redirects for All IPv6 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1
    Time2025-10-23T19:34:21+00:00
    Severitymedium
    Identifiers:

    CCE-82471-4

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv)
    nist-csfPR.IP-1, PR.PT-3
    os-srgSRG-OS-000480-GPOS-00227
    anssiR13
    Description
    To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv6.conf.all.accept_redirects = 0
    Rationale
    An illicit ICMP redirect message could result in a man-in-the-middle attack.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv6.conf.all.accept_redirects%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_redirects.conf
            overwrite: true
    
    OVAL test results details

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv6.conf.all.disable_ipv60

    net.ipv6.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1

    net.ipv6.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1

    net.ipv6.conf.all.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv6.conf.all.accept_redirects1
    Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-82480-5

    Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1
    Time2025-10-23T19:34:25+00:00
    Severitymedium
    Identifiers:

    CCE-82480-5

    References:
    cis-csc1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9
    cobit5APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
    isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfDE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4
    os-srgSRG-OS-000480-GPOS-00227
    anssiR13
    Description
    To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv6.conf.all.accept_source_route = 0
    Rationale
    Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

    Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv6.conf.all.accept_source_route%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_source_route.conf
            overwrite: true
    
    OVAL test results details

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv6.conf.all.disable_ipv60

    net.ipv6.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1

    net.ipv6.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1

    net.ipv6.conf.all.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    truenet.ipv6.conf.all.accept_source_route0
    Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra mediumCCE-82468-0

    Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1
    Time2025-10-23T19:34:28+00:00
    Severitymedium
    Identifiers:

    CCE-82468-0

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    os-srgSRG-OS-000480-GPOS-00227
    Description
    To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv6.conf.default.accept_ra = 0
    Rationale
    An illicit router advertisement message could result in a man-in-the-middle attack.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv6.conf.default.accept_ra%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf
            overwrite: true
    
    OVAL test results details

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv6.conf.all.disable_ipv60

    net.ipv6.conf.default.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1

    net.ipv6.conf.default.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1

    net.ipv6.conf.default.accept_ra static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv6.conf.default.accept_ra1
    Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-82477-1

    Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1
    Time2025-10-23T19:34:33+00:00
    Severitymedium
    Identifiers:

    CCE-82477-1

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    os-srgSRG-OS-000480-GPOS-00227
    anssiR13
    Description
    To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv6.conf.default.accept_redirects = 0
    Rationale
    An illicit ICMP redirect message could result in a man-in-the-middle attack.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv6.conf.default.accept_redirects%20%3D%200%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_redirects.conf
            overwrite: true
    
    OVAL test results details

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv6.conf.all.disable_ipv60

    net.ipv6.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1

    net.ipv6.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1

    net.ipv6.conf.default.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv6.conf.default.accept_redirects1
    Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-82481-3

    Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1
    Time2025-10-23T19:34:38+00:00
    Severitymedium
    Identifiers:

    CCE-82481-3

    References:
    cis-csc1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9
    cobit5APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
    isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nistCM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv)
    nist-csfDE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4
    pcidssReq-1.4.3
    os-srgSRG-OS-000480-GPOS-00227
    anssiR13
    pcidss41.4.2, 1.4
    Description
    To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv6.conf.default.accept_source_route = 0
    Rationale
    Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv6.conf.default.accept_source_route%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf
            overwrite: true
    
    OVAL test results details

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1

    net.ipv6.conf.all.disable_ipv6 static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv6.conf.all.disable_ipv60

    net.ipv6.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1

    net.ipv6.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1

    net.ipv6.conf.default.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    truenet.ipv6.conf.default.accept_source_route0
    Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-82469-8

    Disable Accepting ICMP Redirects for All IPv4 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1
    Time2025-10-23T19:34:42+00:00
    Severitymedium
    Identifiers:

    CCE-82469-8

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
    cjis5.10.1.1
    cobit5APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a), SC-7(a)
    nist-csfDE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    Description
    To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.all.accept_redirects = 0
    Rationale
    ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
    This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1

    net.ipv4.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1

    net.ipv4.conf.all.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv4.conf.all.accept_redirects1
    Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-82478-9

    Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1
    Time2025-10-23T19:34:48+00:00
    Severitymedium
    Identifiers:

    CCE-82478-9

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
    cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
    nistCM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a)
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    Description
    To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.all.accept_source_route = 0
    Rationale
    Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

    Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1

    net.ipv4.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1

    net.ipv4.conf.all.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    truenet.ipv4.conf.all.accept_source_route0
    Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians unknownCCE-82486-2

    Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1
    Time2025-10-23T19:34:54+00:00
    Severityunknown
    Identifiers:

    CCE-82486-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
    cobit5APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2
    nistCM-7(a), CM-7(b), SC-5(3)(a)
    nist-csfDE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4
    os-srgSRG-OS-000480-GPOS-00227
    Description
    To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.all.log_martians=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.all.log_martians = 1
    Rationale
    The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.all.log_martians%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_log_martians.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.all.log_martians static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1

    net.ipv4.conf.all.log_martians static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1

    net.ipv4.conf.all.log_martians static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv4.conf.all.log_martians0
    Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-82488-8

    Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1
    Time2025-10-23T19:34:58+00:00
    Severitymedium
    Identifiers:

    CCE-82488-8

    References:
    cis-csc1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9
    cobit5APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
    isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nistCM-7(a), CM-7(b), CM-6(a), SC-7(a)
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4
    pcidssReq-1.4.3
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    pcidss41.4.3, 1.4
    Description
    To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.all.rp_filter = 1
    Rationale
    Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.all.rp_filter%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.all.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1

    net.ipv4.conf.all.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1

    net.ipv4.conf.all.rp_filter static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv4.conf.all.rp_filter0
    Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-82482-1

    Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1
    Time2025-10-23T19:35:04+00:00
    Severitymedium
    Identifiers:

    CCE-82482-1

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
    cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
    cui3.1.20
    disaCCI-001503, CCI-001551
    isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nistCM-7(a), CM-7(b), CM-6(a), SC-7(a)
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
    pcidssReq-1.4.3
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    pcidss41.4.3, 1.4
    Description
    To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.all.secure_redirects = 0
    Rationale
    Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.all.secure_redirects%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_secure_redirects.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.all.secure_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1

    net.ipv4.conf.all.secure_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1

    net.ipv4.conf.all.secure_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv4.conf.all.secure_redirects1
    Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-82470-6

    Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1
    Time2025-10-23T19:35:08+00:00
    Severitymedium
    Identifiers:

    CCE-82470-6

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
    cjis5.10.1.1
    cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nistCM-7(a), CM-7(b), CM-6(a), SC-7(a)
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
    pcidssReq-1.4.3
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    pcidss41.4.3, 1.4
    Description
    To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.default.accept_redirects = 0
    Rationale
    ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
    This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1

    net.ipv4.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1

    net.ipv4.conf.default.accept_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv4.conf.default.accept_redirects1
    Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-82479-7

    Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1
    Time2025-10-23T19:35:12+00:00
    Severitymedium
    Identifiers:

    CCE-82479-7

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
    cjis5.10.1.1
    cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
    nistCM-7(a), CM-7(b), SC-5, SC-7(a)
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    Description
    To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.default.accept_source_route = 0
    Rationale
    Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
    Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
    OVAL test results details

    net.ipv4.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1

    net.ipv4.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1

    net.ipv4.conf.default.accept_source_route static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_pkg_correct:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/usr/lib/sysctl.d/50-default.confnet.ipv4.conf.default.accept_source_route = 0

    kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    truenet.ipv4.conf.default.accept_source_route0
    Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians unknownCCE-82487-0

    Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1
    Time2025-10-23T19:35:17+00:00
    Severityunknown
    Identifiers:

    CCE-82487-0

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
    cobit5APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2
    nistCM-7(a), CM-7(b), SC-5(3)(a)
    nist-csfDE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4
    os-srgSRG-OS-000480-GPOS-00227
    Description
    To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.default.log_martians=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.default.log_martians = 1
    Rationale
    The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.default.log_martians%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_log_martians.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.default.log_martians static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1

    net.ipv4.conf.default.log_martians static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1

    net.ipv4.conf.default.log_martians static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv4.conf.default.log_martians0
    Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-82489-6

    Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1
    Time2025-10-23T19:35:21+00:00
    Severitymedium
    Identifiers:

    CCE-82489-6

    References:
    cis-csc1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9
    cobit5APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
    isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nistCM-7(a), CM-7(b), CM-6(a), SC-7(a)
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    Description
    To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.default.rp_filter = 1
    Rationale
    Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.default.rp_filter%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_rp_filter.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.default.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1

    net.ipv4.conf.default.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1

    net.ipv4.conf.default.rp_filter static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_pkg_correct:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/usr/lib/sysctl.d/50-default.confnet.ipv4.conf.default.rp_filter = 2
    true/usr/lib/sysctl.d/50-redhat.confnet.ipv4.conf.default.rp_filter = 1

    kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_runtime:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    truenet.ipv4.conf.default.rp_filter1
    Configure Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-82483-9

    Configure Kernel Parameter for Accepting Secure Redirects By Default

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1
    Time2025-10-23T19:35:25+00:00
    Severitymedium
    Identifiers:

    CCE-82483-9

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
    cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
    cui3.1.20
    disaCCI-001551
    isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
    nistCM-7(a), CM-7(b), SC-5, SC-7(a)
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    Description
    To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.default.secure_redirects = 0
    Rationale
    Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.default.secure_redirects%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.default.secure_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1

    net.ipv4.conf.default.secure_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1

    net.ipv4.conf.default.secure_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv4.conf.default.secure_redirects1
    Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-82491-2

    Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1
    Time2025-10-23T19:35:28+00:00
    Severitymedium
    Identifiers:

    CCE-82491-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
    cjis5.10.1.1
    cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
    nistCM-7(a), CM-7(b), SC-5
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
    pcidssReq-1.4.3
    os-srgSRG-OS-000480-GPOS-00227
    pcidss41.4.2, 1.4
    Description
    To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    Rationale
    Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
    Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.icmp_echo_ignore_broadcasts static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1

    net.ipv4.icmp_echo_ignore_broadcasts static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1

    net.ipv4.icmp_echo_ignore_broadcasts static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    truenet.ipv4.icmp_echo_ignore_broadcasts1
    Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknownCCE-82490-4

    Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1
    Time2025-10-23T19:35:35+00:00
    Severityunknown
    Identifiers:

    CCE-82490-4

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9
    cobit5APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2
    nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
    nistCM-7(a), CM-7(b), SC-5
    nist-csfDE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3
    pcidssReq-1.4.3
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    pcidss41.4.2, 1.4
    Description
    To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    Rationale
    Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.icmp_ignore_bogus_error_responses%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_ignore_bogus_error_responses.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.icmp_ignore_bogus_error_responses static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1

    net.ipv4.icmp_ignore_bogus_error_responses static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1

    net.ipv4.icmp_ignore_bogus_error_responses static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    truenet.ipv4.icmp_ignore_bogus_error_responses1
    Enable Kernel Parameter to Use TCP Syncookies on Network Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-82492-0

    Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1
    Time2025-10-23T19:35:40+00:00
    Severitymedium
    Identifiers:

    CCE-82492-0

    References:
    cis-csc1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9
    cjis5.10.1.1
    cobit5APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02
    cui3.1.20
    disaCCI-001095, CCI-000366, CCI-002385
    isa-62443-20094.2.3.4, 4.3.3.4, 4.4.3.3
    isa-62443-2013SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nistCM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a)
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4
    pcidssReq-1.4.1
    os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071
    anssiR12
    pcidss41.4.3, 1.4
    Description
    To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.tcp_syncookies=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.tcp_syncookies = 1
    Rationale
    A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.tcp_syncookies%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_tcp_syncookies.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.tcp_syncookies static configuration  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1

    net.ipv4.tcp_syncookies static configuration  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1

    net.ipv4.tcp_syncookies static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_runtime:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    truenet.ipv4.tcp_syncookies1
    Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-82484-7

    Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1
    Time2025-10-23T19:35:46+00:00
    Severitymedium
    Identifiers:

    CCE-82484-7

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
    cjis5.10.1.1
    cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
    nistCM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a)
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    pcidss41.4.5, 1.4
    Description
    To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.all.send_redirects = 0
    Rationale
    ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
    The ability to send ICMP redirects is only appropriate for systems acting as routers.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.all.send_redirects%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.all.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1

    net.ipv4.conf.all.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1

    net.ipv4.conf.all.send_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv4.conf.all.send_redirects1
    Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-82485-4

    Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1
    Time2025-10-23T19:35:50+00:00
    Severitymedium
    Identifiers:

    CCE-82485-4

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9
    cjis5.10.1.1
    cobit5APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06
    cui3.1.20
    disaCCI-000366
    isa-62443-20094.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1
    nistCM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a)
    nist-csfDE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    pcidss41.4.5, 1.4
    Description
    To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
    $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.ipv4.conf.default.send_redirects = 0
    Rationale
    ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
    The ability to send ICMP redirects is only appropriate for systems acting as routers.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.ipv4.conf.default.send_redirects%3D0%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf
            overwrite: true
    
    OVAL test results details

    net.ipv4.conf.default.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1

    net.ipv4.conf.default.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1

    net.ipv4.conf.default.send_redirects static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.ipv4.conf.default.send_redirects1
    Disable ATM Supportxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled mediumCCE-82518-2

    Disable ATM Support

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_atm_disabled:def:1
    Time2025-10-23T19:35:50+00:00
    Severitymedium
    Identifiers:

    CCE-82518-2

    References:
    disaCCI-000381
    nistAC-18
    os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
    Description
    The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:
    install atm /bin/false
    Rationale
    Disabling ATM protects the system against exploitation of any flaws in its implementation.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20atm%20/bin/false%0Ablacklist%20atm%0A
            mode: 0644
            path: /etc/modprobe.d/atm.conf
            overwrite: true
    
    OVAL test results details

    kernel module atm blacklisted  oval:ssg-test_kernmod_atm_blacklisted:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/modprobe.d/atm-blacklist.confblacklist atm

    kernel module atm disabled  oval:ssg-test_kernmod_atm_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_atm_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+atm\s+(/bin/false|/bin/true)$1

    kernel module atm disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_atm_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_atm_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+atm\s+(/bin/false|/bin/true)$1
    Disable CAN Supportxccdf_org.ssgproject.content_rule_kernel_module_can_disabled mediumCCE-82519-0

    Disable CAN Support

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_can_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_can_disabled:def:1
    Time2025-10-23T19:35:50+00:00
    Severitymedium
    Identifiers:

    CCE-82519-0

    References:
    disaCCI-000381
    nistAC-18
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
    Description
    The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:
    install can /bin/false
    Rationale
    Disabling CAN protects the system against exploitation of any flaws in its implementation.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20can%20/bin/false%0Ablacklist%20can%0A
            mode: 0644
            path: /etc/modprobe.d/can.conf
            overwrite: true
    
    OVAL test results details

    kernel module can blacklisted  oval:ssg-test_kernmod_can_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_can_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+can$1

    kernel module can disabled  oval:ssg-test_kernmod_can_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_can_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+can\s+(/bin/false|/bin/true)$1

    kernel module can disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_can_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_can_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+can\s+(/bin/false|/bin/true)$1
    Disable IEEE 1394 (FireWire) Supportxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled lowCCE-82517-4

    Disable IEEE 1394 (FireWire) Support

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_firewire-core_disabled:def:1
    Time2025-10-23T19:35:50+00:00
    Severitylow
    Identifiers:

    CCE-82517-4

    References:
    disaCCI-000381
    nistAC-18
    os-srgSRG-OS-000095-GPOS-00049
    Description
    The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the firewire-core kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf:
    install firewire-core /bin/false
    Rationale
    Disabling FireWire protects the system against exploitation of any flaws in its implementation.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20firewire-core%20/bin/false%0Ablacklist%20firewire-core%0A
            mode: 0644
            path: /etc/modprobe.d/firewire-core.conf
            overwrite: true
    
    OVAL test results details

    kernel module firewire-core blacklisted  oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_firewire-core_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+firewire-core$1

    kernel module firewire-core disabled  oval:ssg-test_kernmod_firewire-core_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_firewire-core_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$1

    kernel module firewire-core disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_firewire-core_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_firewire-core_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$1
    Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-82516-6

    Disable SCTP Support

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_sctp_disabled:def:1
    Time2025-10-23T19:35:50+00:00
    Severitymedium
    Identifiers:

    CCE-82516-6

    References:
    cis-csc11, 14, 3, 9
    cjis5.10.1
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.4.6
    disaCCI-000381
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    osppFMT_SMF_EXT.1
    pcidssReq-1.4.2
    os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
    pcidss41.4.2, 1.4
    Description
    The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
    install sctp /bin/false
    Rationale
    Disabling SCTP protects the system against exploitation of any flaws in its implementation.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20sctp%20/bin/false%0Ablacklist%20sctp%0A
            mode: 0644
            path: /etc/modprobe.d/sctp.conf
            overwrite: true
    
    OVAL test results details

    kernel module sctp blacklisted  oval:ssg-test_kernmod_sctp_blacklisted:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/modprobe.d/sctp-blacklist.confblacklist sctp

    kernel module sctp disabled  oval:ssg-test_kernmod_sctp_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_sctp_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+sctp\s+(/bin/false|/bin/true)$1

    kernel module sctp disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_sctp_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+sctp\s+(/bin/false|/bin/true)$1
    Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled lowCCE-82520-8

    Disable TIPC Support

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_tipc_disabled:def:1
    Time2025-10-23T19:35:50+00:00
    Severitylow
    Identifiers:

    CCE-82520-8

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    disaCCI-000381
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000095-GPOS-00049
    Description
    The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf:
    install tipc /bin/false
    Rationale
    Disabling TIPC protects the system against exploitation of any flaws in its implementation.
    Warnings
    warning  This configuration baseline was created to deploy the base operating system for general purpose workloads. When the operating system is configured for certain purposes, such as a node in High Performance Computing cluster, it is expected that the tipc kernel module will be loaded.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20tipc%20/bin/false%0Ablacklist%20tipc%0A
            mode: 0644
            path: /etc/modprobe.d/tipc.conf
            overwrite: true
    
    OVAL test results details

    kernel module tipc blacklisted  oval:ssg-test_kernmod_tipc_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_tipc_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+tipc$1

    kernel module tipc disabled  oval:ssg-test_kernmod_tipc_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_tipc_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+tipc\s+(/bin/false|/bin/true)$1

    kernel module tipc disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_tipc_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_tipc_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+tipc\s+(/bin/false|/bin/true)$1
    Disable Bluetooth Servicexccdf_org.ssgproject.content_rule_service_bluetooth_disabled medium

    Disable Bluetooth Service

    Rule IDxccdf_org.ssgproject.content_rule_service_bluetooth_disabled
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-service_bluetooth_disabled:def:1
    Time2025-10-23T19:35:52+00:00
    Severitymedium
    References:
    cis-csc11, 12, 14, 15, 3, 8, 9
    cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
    cui3.1.16
    disaCCI-000085, CCI-001551
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
    nistAC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7
    nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
    Description
    The bluetooth service can be disabled with the following manifest:
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-bluetooth-disable
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
          - name: bluetooth.service
            enabled: false
            mask: true
          - name: bluetooth.socket
            enabled: false
            mask: true
    

    This will disable the bluetooth service in all the nodes labeled with the "master" role.

    Note that this needs to be done for each MachineConfigPool

    For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

    $ sudo service bluetooth stop
    Rationale
    Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.
    OVAL test results details

    package bluez is removed  oval:ssg-service_bluetooth_disabled_test_service_bluetooth_package_bluez_removed:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_service_bluetooth_disabled_test_service_bluetooth_package_bluez_removed:obj:1 of type rpminfo_object
    Name
    bluez

    Test that the bluetooth service is not running  oval:ssg-test_service_not_running_service_bluetooth_disabled_bluetooth:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_service_not_running_service_bluetooth_disabled_bluetooth:obj:1 of type systemdunitproperty_object
    UnitProperty
    ^bluetooth\.(service|socket)$ActiveState

    Test that the property LoadState from the service bluetooth is masked  oval:ssg-test_service_loadstate_is_masked_service_bluetooth_disabled_bluetooth:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_service_loadstate_is_masked_service_bluetooth_disabled_bluetooth:obj:1 of type systemdunitproperty_object
    UnitProperty
    ^bluetooth\.(service|socket)$LoadState
    Disable Bluetooth Kernel Modulexccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled mediumCCE-82515-8

    Disable Bluetooth Kernel Module

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_bluetooth_disabled:def:1
    Time2025-10-23T19:35:52+00:00
    Severitymedium
    Identifiers:

    CCE-82515-8

    References:
    cis-csc11, 12, 14, 15, 3, 8, 9
    cjis5.13.1.3
    cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
    cui3.1.16
    disaCCI-001443, CCI-000381
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
    nistAC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7
    nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118
    Description
    The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:
    install bluetooth /bin/true
    Rationale
    If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20bluetooth%20/bin/false%0Ablacklist%20bluetooth%0A
            mode: 0644
            path: /etc/modprobe.d/bluetooth.conf
            overwrite: true
    
    OVAL test results details

    kernel module bluetooth blacklisted  oval:ssg-test_kernmod_bluetooth_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_bluetooth_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+bluetooth$1

    kernel module bluetooth disabled  oval:ssg-test_kernmod_bluetooth_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_bluetooth_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$1

    kernel module bluetooth disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_bluetooth_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$1
    Disable Kernel cfg80211 Modulexccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled mediumCCE-85932-2

    Disable Kernel cfg80211 Module

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_cfg80211_disabled:def:1
    Time2025-10-23T19:35:52+00:00
    Severitymedium
    Identifiers:

    CCE-85932-2

    References:
    nistAC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, AC-18(4)
    Description
    To configure the system to prevent the cfg80211 kernel module from being loaded, add the following line to the file /etc/modprobe.d/cfg80211.conf:
    install cfg80211 /bin/false
    Rationale
    If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20cfg80211%20/bin/false%0Ablacklist%20cfg80211%0A
            mode: 0644
            path: /etc/modprobe.d/cfg80211.conf
            overwrite: true
    
    OVAL test results details

    kernel module cfg80211 blacklisted  oval:ssg-test_kernmod_cfg80211_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_cfg80211_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+cfg80211$1

    kernel module cfg80211 disabled  oval:ssg-test_kernmod_cfg80211_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_cfg80211_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+cfg80211\s+(/bin/false|/bin/true)$1

    kernel module cfg80211 disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_cfg80211_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_cfg80211_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+cfg80211\s+(/bin/false|/bin/true)$1
    Disable Kernel iwlmvm Modulexccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled mediumCCE-85933-0

    Disable Kernel iwlmvm Module

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_iwlmvm_disabled:def:1
    Time2025-10-23T19:35:52+00:00
    Severitymedium
    Identifiers:

    CCE-85933-0

    References:
    nistAC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, AC-18(4)
    Description
    To configure the system to prevent the iwlmvm kernel module from being loaded, add the following line to the file /etc/modprobe.d/iwlmvm.conf:
    install iwlmvm /bin/false
    Rationale
    If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20iwlmvm%20/bin/false%0Ablacklist%20iwlmvm%0A
            mode: 0644
            path: /etc/modprobe.d/iwlmvm.conf
            overwrite: true
    
    OVAL test results details

    kernel module iwlmvm blacklisted  oval:ssg-test_kernmod_iwlmvm_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_iwlmvm_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+iwlmvm$1

    kernel module iwlmvm disabled  oval:ssg-test_kernmod_iwlmvm_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_iwlmvm_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+iwlmvm\s+(/bin/false|/bin/true)$1

    kernel module iwlmvm disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_iwlmvm_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_iwlmvm_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+iwlmvm\s+(/bin/false|/bin/true)$1
    Disable Kernel iwlwifi Modulexccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled mediumCCE-85934-8

    Disable Kernel iwlwifi Module

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_iwlwifi_disabled:def:1
    Time2025-10-23T19:35:52+00:00
    Severitymedium
    Identifiers:

    CCE-85934-8

    References:
    nistAC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, AC-18(4)
    Description
    To configure the system to prevent the iwlwifi kernel module from being loaded, add the following line to the file /etc/modprobe.d/iwlwifi.conf:
    install iwlwifi /bin/false
    Rationale
    If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20iwlwifi%20/bin/false%0Ablacklist%20iwlwifi%0A
            mode: 0644
            path: /etc/modprobe.d/iwlwifi.conf
            overwrite: true
    
    OVAL test results details

    kernel module iwlwifi blacklisted  oval:ssg-test_kernmod_iwlwifi_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_iwlwifi_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+iwlwifi$1

    kernel module iwlwifi disabled  oval:ssg-test_kernmod_iwlwifi_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_iwlwifi_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+iwlwifi\s+(/bin/false|/bin/true)$1

    kernel module iwlwifi disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_iwlwifi_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_iwlwifi_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+iwlwifi\s+(/bin/false|/bin/true)$1
    Disable Kernel mac80211 Modulexccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled mediumCCE-85935-5

    Disable Kernel mac80211 Module

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_mac80211_disabled:def:1
    Time2025-10-23T19:35:52+00:00
    Severitymedium
    Identifiers:

    CCE-85935-5

    References:
    nistAC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, AC-18(4)
    Description
    To configure the system to prevent the mac80211 kernel module from being loaded, add the following line to the file /etc/modprobe.d/mac80211.conf:
    install mac80211 /bin/false
    Rationale
    If Wireless functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20mac80211%20/bin/false%0Ablacklist%20mac80211%0A
            mode: 0644
            path: /etc/modprobe.d/mac80211.conf
            overwrite: true
    
    OVAL test results details

    kernel module mac80211 blacklisted  oval:ssg-test_kernmod_mac80211_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_mac80211_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+mac80211$1

    kernel module mac80211 disabled  oval:ssg-test_kernmod_mac80211_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_mac80211_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+mac80211\s+(/bin/false|/bin/true)$1

    kernel module mac80211 disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_mac80211_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_mac80211_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+mac80211\s+(/bin/false|/bin/true)$1
    Disable WiFi or Bluetooth in BIOSxccdf_org.ssgproject.content_rule_wireless_disable_in_bios unknownCCE-82659-4

    Disable WiFi or Bluetooth in BIOS

    Rule IDxccdf_org.ssgproject.content_rule_wireless_disable_in_bios
    Result
    notchecked
    Multi-check ruleno
    Time2025-10-23T19:35:52+00:00
    Severityunknown
    Identifiers:

    CCE-82659-4

    References:
    cis-csc11, 12, 14, 15, 3, 8, 9
    cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
    disaCCI-000085
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
    nistAC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7
    nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
    Description
    Some machines that include built-in wireless support offer the ability to disable the device through the BIOS. This is hardware-specific; consult your hardware manual or explore the BIOS setup during boot.
    Rationale
    Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first.
    Evaluation messages
    info 
    No candidate or applicable check found.
    Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-82660-2

    Deactivate Wireless Network Interfaces

    Rule IDxccdf_org.ssgproject.content_rule_wireless_disable_interfaces
    Result
    notapplicable
    Multi-check ruleno
    Time2025-10-23T19:35:52+00:00
    Severitymedium
    Identifiers:

    CCE-82660-2

    References:
    cis-csc11, 12, 14, 15, 3, 8, 9
    cobit5APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06
    cui3.1.16
    disaCCI-001443, CCI-001444, CCI-002421, CCI-002418
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
    ism1315, 1319
    iso27001-2013A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2
    nistAC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7
    nist-csfPR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4
    pcidssReq-1.3.3
    os-srgSRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-00481
    pcidss41.3.3, 1.3
    Description
    Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

    Configure the system to disable all wireless network interfaces with the following command:
    $ sudo nmcli radio all off
    Rationale
    The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.
    Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-82663-6

    Disable the Automounter

    Rule IDxccdf_org.ssgproject.content_rule_service_autofs_disabled
    Result
    notapplicable
    Multi-check ruleno
    Time2025-10-23T19:36:00+00:00
    Severitymedium
    Identifiers:

    CCE-82663-6

    References:
    cis-csc1, 12, 15, 16, 5
    cobit5APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
    cui3.4.6
    disaCCI-000778, CCI-000366, CCI-001958
    hipaa164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b)
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6
    iso27001-2013A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
    nistCM-7(a), CM-7(b), CM-6(a), MP-7
    nist-csfPR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7
    os-srgSRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
    Description
    The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

    The autofs service can be disabled with the following manifest:
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-autofs-disable
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
          - name: autofs.service
            enabled: false
            mask: true
          - name: autofs.socket
            enabled: false
            mask: true
    

    This will disable the autofs service in all the nodes labeled with the "master" role.

    Note that this needs to be done for each MachineConfigPool

    For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

    Rationale
    Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

    Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
    Disable Booting from USB Devices in Boot Firmwarexccdf_org.ssgproject.content_rule_bios_disable_usb_boot unknownCCE-82662-8

    Disable Booting from USB Devices in Boot Firmware

    Rule IDxccdf_org.ssgproject.content_rule_bios_disable_usb_boot
    Result
    notchecked
    Multi-check ruleno
    Time2025-10-23T19:36:00+00:00
    Severityunknown
    Identifiers:

    CCE-82662-8

    References:
    cis-csc12, 16
    cobit5APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03
    disaCCI-001250
    isa-62443-20094.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6
    iso27001-2013A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1
    nistMP-7, CM-7(b), CM-6(a)
    nist-csfPR.AC-3, PR.AC-6
    Description
    Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives.
    Rationale
    Booting a system from a USB device would allow an attacker to circumvent any security measures provided by the operating system. Attackers could mount partitions and modify the configuration of the OS.
    Evaluation messages
    info 
    No candidate or applicable check found.
    Disable Kernel Support for USB via Bootloader Configurationxccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument mediumCCE-83443-2

    Disable Kernel Support for USB via Bootloader Configuration

    Rule IDxccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-coreos_nousb_kernel_argument:def:1
    Time2025-10-23T19:36:00+00:00
    Severitymedium
    Identifiers:

    CCE-83443-2

    References:
    cis-csc12, 16
    cobit5APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03
    disaCCI-001250
    hipaa164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b)
    isa-62443-20094.3.3.2.2, 4.3.3.5.2, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1, SR 2.6
    iso27001-2013A.11.2.6, A.13.1.1, A.13.2.1, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1
    nistMP-7, CM-6(a)
    nist-csfPR.AC-3, PR.AC-6
    Description
    All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, Add the nousb kernel argument via a MachineConfig object.
    Rationale
    Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems.
    Warnings
    warning  Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:restrict
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
      kernelArguments:
        - nousb
    
    OVAL test results details

    Check if /boot/loader/entries/ostree-2.*.conf does not exist  oval:ssg-test_coreos_nousb_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_nousb_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type file_object
    Filepath
    ^/boot/loader/entries/ostree-2.*.conf

    Check if argument nousb is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf  oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_1_conf:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/boot/loader/entries/ostree-1.confoptions rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0

    Check if argument nousb is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf  oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_2_conf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/boot/loader/entries/ostree-2.*.conf^options (.*)$1

    Check if argument nousb is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline  oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_proc_cmdline:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/proc/cmdlineBOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0
    Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-82514-1

    Disable Mounting of cramfs

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_cramfs_disabled:def:1
    Time2025-10-23T19:36:00+00:00
    Severitylow
    Identifiers:

    CCE-82514-1

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.4.6
    disaCCI-000381
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    os-srgSRG-OS-000095-GPOS-00049
    Description
    To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
    install cramfs /bin/false
    This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.
    Rationale
    Removing support for unneeded filesystem types reduces the local attack surface of the server.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20cramfs%20/bin/false%0Ablacklist%20cramfs%0A
            mode: 0644
            path: /etc/modprobe.d/cramfs.conf
            overwrite: true
    
    OVAL test results details

    kernel module cramfs blacklisted  oval:ssg-test_kernmod_cramfs_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_cramfs_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+cramfs$1

    kernel module cramfs disabled  oval:ssg-test_kernmod_cramfs_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_cramfs_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+cramfs\s+(/bin/false|/bin/true)$1

    kernel module cramfs disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+cramfs\s+(/bin/false|/bin/true)$1
    Disable Mounting of freevxfsxccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled lowCCE-82713-9

    Disable Mounting of freevxfs

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_freevxfs_disabled:def:1
    Time2025-10-23T19:36:00+00:00
    Severitylow
    Identifiers:

    CCE-82713-9

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.4.6
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    Description
    To configure the system to prevent the freevxfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/freevxfs.conf:
    install freevxfs /bin/false
    This effectively prevents usage of this uncommon filesystem.
    Rationale
    Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20freevxfs%20/bin/false%0Ablacklist%20freevxfs%0A
            mode: 0644
            path: /etc/modprobe.d/freevxfs.conf
            overwrite: true
    
    OVAL test results details

    kernel module freevxfs blacklisted  oval:ssg-test_kernmod_freevxfs_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_freevxfs_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+freevxfs$1

    kernel module freevxfs disabled  oval:ssg-test_kernmod_freevxfs_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_freevxfs_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$1

    kernel module freevxfs disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_freevxfs_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_freevxfs_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$1
    Disable Mounting of hfsxccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled lowCCE-82714-7

    Disable Mounting of hfs

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_hfs_disabled:def:1
    Time2025-10-23T19:36:00+00:00
    Severitylow
    Identifiers:

    CCE-82714-7

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.4.6
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    Description
    To configure the system to prevent the hfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfs.conf:
    install hfs /bin/false
    This effectively prevents usage of this uncommon filesystem.
    Rationale
    Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20hfs%20/bin/false%0Ablacklist%20hfs%0A
            mode: 0644
            path: /etc/modprobe.d/hfs.conf
            overwrite: true
    
    OVAL test results details

    kernel module hfs blacklisted  oval:ssg-test_kernmod_hfs_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_hfs_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+hfs$1

    kernel module hfs disabled  oval:ssg-test_kernmod_hfs_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_hfs_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+hfs\s+(/bin/false|/bin/true)$1

    kernel module hfs disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_hfs_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_hfs_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+hfs\s+(/bin/false|/bin/true)$1
    Disable Mounting of hfsplusxccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled lowCCE-82715-4

    Disable Mounting of hfsplus

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_hfsplus_disabled:def:1
    Time2025-10-23T19:36:00+00:00
    Severitylow
    Identifiers:

    CCE-82715-4

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.4.6
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    Description
    To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfsplus.conf:
    install hfsplus /bin/false
    This effectively prevents usage of this uncommon filesystem.
    Rationale
    Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20hfsplus%20/bin/false%0Ablacklist%20hfsplus%0A
            mode: 0644
            path: /etc/modprobe.d/hfsplus.conf
            overwrite: true
    
    OVAL test results details

    kernel module hfsplus blacklisted  oval:ssg-test_kernmod_hfsplus_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_hfsplus_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+hfsplus$1

    kernel module hfsplus disabled  oval:ssg-test_kernmod_hfsplus_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_hfsplus_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$1

    kernel module hfsplus disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_hfsplus_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_hfsplus_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$1
    Disable Mounting of jffs2xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled lowCCE-82716-2

    Disable Mounting of jffs2

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_jffs2_disabled:def:1
    Time2025-10-23T19:36:00+00:00
    Severitylow
    Identifiers:

    CCE-82716-2

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.4.6
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    Description
    To configure the system to prevent the jffs2 kernel module from being loaded, add the following line to the file /etc/modprobe.d/jffs2.conf:
    install jffs2 /bin/false
    This effectively prevents usage of this uncommon filesystem.
    Rationale
    Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20jffs2%20/bin/false%0Ablacklist%20jffs2%0A
            mode: 0644
            path: /etc/modprobe.d/jffs2.conf
            overwrite: true
    
    OVAL test results details

    kernel module jffs2 blacklisted  oval:ssg-test_kernmod_jffs2_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_jffs2_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+jffs2$1

    kernel module jffs2 disabled  oval:ssg-test_kernmod_jffs2_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_jffs2_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+jffs2\s+(/bin/false|/bin/true)$1

    kernel module jffs2 disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_jffs2_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_jffs2_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+jffs2\s+(/bin/false|/bin/true)$1
    Disable Mounting of squashfsxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled lowCCE-82717-0

    Disable Mounting of squashfs

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_squashfs_disabled:def:1
    Time2025-10-23T19:36:00+00:00
    Severitylow
    Identifiers:

    CCE-82717-0

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.4.6
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    Description
    To configure the system to prevent the squashfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
    install squashfs /bin/false
    This effectively prevents usage of this uncommon filesystem. The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image.
    Rationale
    Removing support for unneeded filesystem types reduces the local attack surface of the system.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20squashfs%20/bin/false%0Ablacklist%20squashfs%0A
            mode: 0644
            path: /etc/modprobe.d/squashfs.conf
            overwrite: true
    
    OVAL test results details

    kernel module squashfs blacklisted  oval:ssg-test_kernmod_squashfs_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_squashfs_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+squashfs$1

    kernel module squashfs disabled  oval:ssg-test_kernmod_squashfs_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_squashfs_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+squashfs\s+(/bin/false|/bin/true)$1

    kernel module squashfs disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_squashfs_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_squashfs_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+squashfs\s+(/bin/false|/bin/true)$1
    Disable Mounting of udfxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled lowCCE-82718-8

    Disable Mounting of udf

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_udf_disabled:def:1
    Time2025-10-23T19:36:00+00:00
    Severitylow
    Identifiers:

    CCE-82718-8

    References:
    cis-csc11, 14, 3, 9
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06
    cui3.4.6
    isa-62443-20094.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2
    nistCM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.IP-1, PR.PT-3
    Description
    To configure the system to prevent the udf kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf:
    install udf /bin/false
    This effectively prevents usage of this uncommon filesystem. The udf filesystem type is the universal disk format used to implement the ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is neccessary to support writing DVDs and newer optical disc formats.
    Rationale
    Removing support for unneeded filesystem types reduces the local attack surface of the system.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20udf%20/bin/false%0Ablacklist%20udf%0A
            mode: 0644
            path: /etc/modprobe.d/udf.conf
            overwrite: true
    
    OVAL test results details

    kernel module udf blacklisted  oval:ssg-test_kernmod_udf_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_udf_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+udf$1

    kernel module udf disabled  oval:ssg-test_kernmod_udf_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_udf_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+udf\s+(/bin/false|/bin/true)$1

    kernel module udf disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_udf_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_udf_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+udf\s+(/bin/false|/bin/true)$1
    Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-82719-6

    Disable Modprobe Loading of USB Storage Driver

    Rule IDxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-kernel_module_usb-storage_disabled:def:1
    Time2025-10-23T19:36:00+00:00
    Severitymedium
    Identifiers:

    CCE-82719-6

    References:
    cis-csc1, 12, 15, 16, 5
    cobit5APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
    cui3.1.21
    disaCCI-000778, CCI-001958, CCI-003959
    hipaa164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b)
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6
    iso27001-2013A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
    nistCM-7(a), CM-7(b), CM-6(a), MP-7
    nist-csfPR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7
    os-srgSRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
    app-srg-ctrSRG-APP-000141-CTR-000315, CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030
    pcidss43.4.2, 3.4
    Description
    To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
    install usb-storage /bin/false
    This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
    Rationale
    USB storage devices such as thumb drives can be used to introduce malicious software.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,install%20usb-storage%20/bin/false%0Ablacklist%20usb-storage%0A
            mode: 0644
            path: /etc/modprobe.d/usb-storage.conf
            overwrite: true
    
    OVAL test results details

    kernel module usb-storage blacklisted  oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_usb-storage_blacklisted:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^blacklist\s+usb-storage$1

    kernel module usb-storage disabled  oval:ssg-test_kernmod_usb-storage_disabled:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_usb-storage_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/modprobe.d
    /etc/modules-load.d
    /run/modprobe.d
    /run/modules-load.d
    /usr/lib/modprobe.d
    /usr/lib/modules-load.d
    ^.*\.conf$^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1

    kernel module usb-storage disabled in /etc/modprobe.conf  oval:ssg-test_kernmod_usb-storage_modprobeconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/modprobe.conf^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1
    Disable acquiring, saving, and processing core dumpsxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled mediumCCE-82530-7

    Disable acquiring, saving, and processing core dumps

    Rule IDxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-service_systemd-coredump_disabled:def:1
    Time2025-10-23T19:36:31+00:00
    Severitymedium
    Identifiers:

    CCE-82530-7

    References:
    disaCCI-000366
    nistSC-7(10)
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000480-GPOS-00227
    Description
    The systemd-coredump.socket unit is a socket activation of the systemd-coredump@.service which processes core dumps. By masking the unit, core dump processing is disabled.
    Rationale
    A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
    OVAL test results details

    Test that the property LoadState from the systemd-coredump.socket is masked  oval:ssg-test_socket_loadstate_is_masked_systemd-coredump:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonUnitPropertyValue
    falsesystemd-coredump.socketLoadStateloaded
    Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces mediumCCE-82529-9

    Disable core dump backtraces

    Rule IDxccdf_org.ssgproject.content_rule_coredump_disable_backtraces
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-coredump_disable_backtraces:def:1
    Time2025-10-23T19:36:31+00:00
    Severitymedium
    Identifiers:

    CCE-82529-9

    References:
    disaCCI-000366
    nistCM-6
    pcidssReq-3.2
    os-srgSRG-OS-000480-GPOS-00227
    pcidss43.3.1.1, 3.3.1, 3.3
    Description
    The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.
    Rationale
    A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.
    Warnings
    warning  If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
            mode: 0644
            path: /etc/systemd/coredump.conf
            overwrite: true
    
    OVAL test results details

    tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file  oval:ssg-test_coredump_disable_backtraces:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/systemd/coredump.conf [Coredump] #Storage=external #Compress=yes ProcessSizeMax=1G

    tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf.d file  oval:ssg-test_coredump_disable_backtraces_config_dir:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_coredump_disable_backtraces_config_dir:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/systemd/coredump.conf.d.*\.conf$^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)1
    Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage mediumCCE-82528-1

    Disable storing core dump

    Rule IDxccdf_org.ssgproject.content_rule_coredump_disable_storage
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-coredump_disable_storage:def:1
    Time2025-10-23T19:36:31+00:00
    Severitymedium
    Identifiers:

    CCE-82528-1

    References:
    disaCCI-000366
    nistCM-6
    pcidssReq-3.2
    os-srgSRG-OS-000480-GPOS-00227
    pcidss43.3.1.1, 3.3.1, 3.3
    Description
    The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.
    Rationale
    A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.
    Warnings
    warning  If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
            mode: 0644
            path: /etc/systemd/coredump.conf
            overwrite: true
    
    OVAL test results details

    tests the value of Storage setting in the /etc/systemd/coredump.conf file  oval:ssg-test_coredump_disable_storage:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_coredump_disable_storage:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/systemd/coredump.conf^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)1

    tests the value of Storage setting in the /etc/systemd/coredump.conf.d file  oval:ssg-test_coredump_disable_storage_config_dir:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_coredump_disable_storage_config_dir:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/systemd/coredump.conf.d.*\.conf$^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)1
    Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps mediumCCE-82526-5

    Disable Core Dumps for All Users

    Rule IDxccdf_org.ssgproject.content_rule_disable_users_coredumps
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-disable_users_coredumps:def:1
    Time2025-10-23T19:36:31+00:00
    Severitymedium
    Identifiers:

    CCE-82526-5

    References:
    cis-csc1, 12, 13, 15, 16, 2, 7, 8
    cobit5APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07
    disaCCI-000366
    isa-62443-2013SR 6.2, SR 7.1, SR 7.2
    iso27001-2013A.12.1.3, A.17.2.1
    nistCM-6, SC-7(10)
    nist-csfDE.CM-1, PR.DS-4
    os-srgSRG-OS-000480-GPOS-00227
    pcidss43.3.1.1, 3.3.1, 3.3
    Description
    To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory:
    *     hard   core    0
    Rationale
    A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200
            mode: 0644
            path: /etc/security/limits.d/75-disable_users_coredumps.conf
            overwrite: true
    
    OVAL test results details

    Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory  oval:ssg-test_core_dumps_limits_d:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_core_dumps_limits_d:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/security/limits.d^.*\.conf$^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)1

    Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory  oval:ssg-test_core_dumps_limits_d_exists:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /etc/security/limits.d^.*\.conf$^[\s]*\*[\s]+(?:hard|-)[\s]+core1

    Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file  oval:ssg-test_core_dumps_limitsconf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_core_dumps_limitsconf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/security/limits.conf^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)1
    Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-82498-7

    Restrict Exposed Kernel Pointer Addresses Access

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_kernel_kptr_restrict:def:1
    Time2025-10-23T19:36:34+00:00
    Severitymedium
    Identifiers:

    CCE-82498-7

    References:
    disaCCI-000366, CCI-002824, CCI-001082
    nerc-cipCIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4
    nistSC-30, SC-30(2), SC-30(5), CM-6(a)
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227
    anssiR9
    Description
    To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command:
    $ sudo sysctl -w kernel.kptr_restrict=1
             
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    kernel.kptr_restrict = 1
             
    Rationale
    Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallow any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with 0.
    OVAL test results details

    kernel.kptr_restrict static configuration  oval:ssg-test_sysctl_kernel_kptr_restrict_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_kptr_restrict:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kptr_restrict:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kptr_restrict:obj:1

    kernel.kptr_restrict static configuration  oval:ssg-test_sysctl_kernel_kptr_restrict_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_kptr_restrict:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kptr_restrict:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kptr_restrict:obj:1

    kernel.kptr_restrict static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_kptr_restrict_static_pkg_correct:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/usr/lib/sysctl.d/50-redhat.confkernel.kptr_restrict = 1

    kernel runtime parameter kernel.kptr_restrict set to the appropriate value  oval:ssg-test_sysctl_kernel_kptr_restrict_runtime:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    truekernel.kptr_restrict1
    Enable page allocator poisoningxccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument mediumCCE-82673-5

    Enable page allocator poisoning

    Rule IDxccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-coreos_page_poison_kernel_argument:def:1
    Time2025-10-23T19:36:34+00:00
    Severitymedium
    Identifiers:

    CCE-82673-5

    References:
    nistCM-6(a)
    app-srg-ctrSRG-APP-000243-CTR-000600, CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610
    Description
    To enable poisoning of free pages, add the argument page_poison=1 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.
    Rationale
    Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:restrict
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
      kernelArguments:
        - page_poison=1
    
    OVAL test results details

    Check if /boot/loader/entries/ostree-2.*.conf does not exist  oval:ssg-test_coreos_page_poison_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_page_poison_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type file_object
    Filepath
    ^/boot/loader/entries/ostree-2.*.conf

    Check if argument page_poison=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf  oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_1_conf:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/boot/loader/entries/ostree-1.confoptions rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0

    Check if argument page_poison=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf  oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_2_conf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/boot/loader/entries/ostree-2.*.conf^options (.*)$1

    Check if argument page_poison=1 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline  oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_proc_cmdline:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/proc/cmdlineBOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0
    Disable storing core dumpsxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern mediumCCE-82527-3

    Disable storing core dumps

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_kernel_core_pattern:def:1
    Time2025-10-23T19:36:04+00:00
    Severitymedium
    Identifiers:

    CCE-82527-3

    References:
    disaCCI-000366
    nistSC-7(10)
    os-srgSRG-OS-000480-GPOS-00227
    pcidss43.3.1.1, 3.3.1, 3.3
    Description
    To set the runtime status of the kernel.core_pattern kernel parameter, run the following command:
    $ sudo sysctl -w kernel.core_pattern=|/bin/false
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    kernel.core_pattern = |/bin/false
    Rationale
    A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf
            overwrite: true
    
    OVAL test results details

    kernel.core_pattern static configuration  oval:ssg-test_sysctl_kernel_core_pattern_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_core_pattern:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_core_pattern:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern:obj:1

    kernel.core_pattern static configuration  oval:ssg-test_sysctl_kernel_core_pattern_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_core_pattern:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_core_pattern:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern:obj:1

    kernel.core_pattern static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_core_pattern_static_pkg_correct:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/usr/lib/sysctl.d/50-coredump.confkernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h

    kernel runtime parameter kernel.core_pattern set to |/bin/false  oval:ssg-test_sysctl_kernel_core_pattern_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsekernel.core_pattern|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
    Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict lowCCE-82499-5

    Restrict Access to Kernel Message Buffer

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_kernel_dmesg_restrict:def:1
    Time2025-10-23T19:36:07+00:00
    Severitylow
    Identifiers:

    CCE-82499-5

    References:
    cui3.1.5
    disaCCI-001082, CCI-001090
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
    nistSI-11(a), SI-11(b)
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
    app-srg-ctrSRG-APP-000243-CTR-000600, CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610
    anssiR9
    Description
    To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
    $ sudo sysctl -w kernel.dmesg_restrict=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    kernel.dmesg_restrict = 1
    Rationale
    Unprivileged access to the kernel syslog can expose sensitive kernel address information.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,kernel.dmesg_restrict%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf
            overwrite: true
    
    OVAL test results details

    kernel.dmesg_restrict static configuration  oval:ssg-test_sysctl_kernel_dmesg_restrict_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_dmesg_restrict:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1

    kernel.dmesg_restrict static configuration  oval:ssg-test_sysctl_kernel_dmesg_restrict_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_dmesg_restrict:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1

    kernel.dmesg_restrict static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_dmesg_restrict_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_dmesg_restrict:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter kernel.dmesg_restrict set to 1  oval:ssg-test_sysctl_kernel_dmesg_restrict_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsekernel.dmesg_restrict0
    Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled mediumCCE-82500-0

    Disable Kernel Image Loading

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_kernel_kexec_load_disabled:def:1
    Time2025-10-23T19:36:12+00:00
    Severitymedium
    Identifiers:

    CCE-82500-0

    References:
    disaCCI-003992, CCI-000366
    nistCM-6
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153
    Description
    To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command:
    $ sudo sysctl -w kernel.kexec_load_disabled=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    kernel.kexec_load_disabled = 1
    Rationale
    Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,kernel.kexec_load_disabled%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf
            overwrite: true
    
    OVAL test results details

    kernel.kexec_load_disabled static configuration  oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kexec_load_disabled:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kexec_load_disabled:obj:1

    kernel.kexec_load_disabled static configuration  oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_kexec_load_disabled:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kexec_load_disabled:obj:1

    kernel.kexec_load_disabled static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_kexec_load_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter kernel.kexec_load_disabled set to 1  oval:ssg-test_sysctl_kernel_kexec_load_disabled_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsekernel.kexec_load_disabled0
    Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid lowCCE-82502-6

    Disallow kernel profiling by unprivileged users

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_kernel_perf_event_paranoid:def:1
    Time2025-10-23T19:36:15+00:00
    Severitylow
    Identifiers:

    CCE-82502-6

    References:
    disaCCI-001082, CCI-001090
    nistAC-6
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
    app-srg-ctrSRG-APP-000243-CTR-000600, CNTR-OS-000560, CNTR-OS-000570, CNTR-OS-000580, CNTR-OS-000590, CNTR-OS-000600, CNTR-OS-000610
    anssiR9
    Description
    To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command:
    $ sudo sysctl -w kernel.perf_event_paranoid=2
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    kernel.perf_event_paranoid = 2
    Rationale
    Kernel profiling can reveal sensitive information about kernel behaviour.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,kernel.perf_event_paranoid%3D2%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf
            overwrite: true
    
    OVAL test results details

    kernel.perf_event_paranoid static configuration  oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_perf_event_paranoid:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_perf_event_paranoid:obj:1

    kernel.perf_event_paranoid static configuration  oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_perf_event_paranoid:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_perf_event_paranoid:obj:1

    kernel.perf_event_paranoid static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_perf_event_paranoid:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter kernel.perf_event_paranoid set to 2  oval:ssg-test_sysctl_kernel_perf_event_paranoid_runtime:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    truekernel.perf_event_paranoid2
    Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled mediumCCE-82504-2

    Disable Access to Network bpf() Syscall From Unprivileged Processes

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1
    Time2025-10-23T19:36:21+00:00
    Severitymedium
    Identifiers:

    CCE-82504-2

    References:
    disaCCI-000366, CCI-001082
    nistAC-6, SC-7(10)
    os-srgSRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
    anssiR9
    Description
    To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:
    $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    kernel.unprivileged_bpf_disabled = 1
    Rationale
    Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,kernel.unprivileged_bpf_disabled%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf
            overwrite: true
    
    OVAL test results details

    kernel.unprivileged_bpf_disabled static configuration  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1

    kernel.unprivileged_bpf_disabled static configuration  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1

    kernel.unprivileged_bpf_disabled static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1  oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsekernel.unprivileged_bpf_disabled2
    Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-82501-8

    Restrict usage of ptrace to descendant processes

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_kernel_yama_ptrace_scope:def:1
    Time2025-10-23T19:36:25+00:00
    Severitymedium
    Identifiers:

    CCE-82501-8

    References:
    disaCCI-000366, CCI-001082
    nistSC-7(10)
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
    anssiR11
    Description
    To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:
    $ sudo sysctl -w kernel.yama.ptrace_scope=1
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    kernel.yama.ptrace_scope = 1
    Rationale
    Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing).

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,kernel.yama.ptrace_scope%3D1%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf
            overwrite: true
    
    OVAL test results details

    kernel.yama.ptrace_scope static configuration  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1

    kernel.yama.ptrace_scope static configuration  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_kernel_yama_ptrace_scope:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1

    kernel.yama.ptrace_scope static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_pkg_correct:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/usr/lib/sysctl.d/10-default-yama-scope.confkernel.yama.ptrace_scope = 0

    kernel runtime parameter kernel.yama.ptrace_scope set to 1  oval:ssg-test_sysctl_kernel_yama_ptrace_scope_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsekernel.yama.ptrace_scope0
    Harden the operation of the BPF just-in-time compilerxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden mediumCCE-82505-9

    Harden the operation of the BPF just-in-time compiler

    Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sysctl_net_core_bpf_jit_harden:def:1
    Time2025-10-23T19:36:30+00:00
    Severitymedium
    Identifiers:

    CCE-82505-9

    References:
    disaCCI-000366
    nistCM-6, SC-7(10)
    os-srgSRG-OS-000480-GPOS-00227
    anssiR12
    Description
    To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command:
    $ sudo sysctl -w net.core.bpf_jit_harden=2
    To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
    net.core.bpf_jit_harden = 2
    Rationale
    When hardened, the extended Berkeley Packet Filter just-in-time compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in /proc/kallsyms.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,net.core.bpf_jit_harden%3D2%0A
            mode: 0644
            path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf
            overwrite: true
    
    OVAL test results details

    net.core.bpf_jit_harden static configuration  oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_user:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_core_bpf_jit_harden:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_core_bpf_jit_harden:obj:1

    net.core.bpf_jit_harden static configuration  oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_user_missing:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_user_sysctl_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_static_etc_lib_sysctls_sysctl_net_core_bpf_jit_harden:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_core_bpf_jit_harden:obj:1

    net.core.bpf_jit_harden static configuration in /usr/lib/sysctl.d/*.conf  oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_pkg_correct:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_static_usr_lib_sysctld_sysctl_net_core_bpf_jit_harden:obj:1 of type textfilecontent54_object
    PathFilenamePatternInstance
    /usr/lib/sysctl.d^.*\.conf$^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*\S)[\s]*$1

    kernel runtime parameter net.core.bpf_jit_harden set to 2  oval:ssg-test_sysctl_net_core_bpf_jit_harden_runtime:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameValue
    falsenet.core.bpf_jit_harden1
    Ensure SELinux Not Disabled in the kernel argumentsxccdf_org.ssgproject.content_rule_coreos_enable_selinux_kernel_argument mediumCCE-83899-5

    Ensure SELinux Not Disabled in the kernel arguments

    Rule IDxccdf_org.ssgproject.content_rule_coreos_enable_selinux_kernel_argument
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-coreos_enable_selinux_kernel_argument:def:1
    Time2025-10-23T19:36:34+00:00
    Severitymedium
    Identifiers:

    CCE-83899-5

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9
    cobit5APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01
    cui3.1.2, 3.7.2
    disaCCI-000022, CCI-000032
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
    isa-62443-20094.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
    nistAC-3, AC-3(3)(a)
    nist-csfDE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4
    app-srg-ctrSRG-APP-000233-CTR-000585, CNTR-OS-000540
    bsiAPP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21
    Description
    SELinux can be disabled at boot time by disabling it via a kernel argument. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.
    Rationale
    Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
    OVAL test results details

    Check if /boot/loader/entries/ostree-2.*.conf does not exist  oval:ssg-test_coreos_enable_selinux_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_enable_selinux_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type file_object
    Filepath
    ^/boot/loader/entries/ostree-2.*.conf

    Check if argument selinux=0 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf  oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_1_conf:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/boot/loader/entries/ostree-1.confoptions rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0

    Check if argument selinux=0 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf  oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_2_conf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/boot/loader/entries/ostree-2.*.conf^options (.*)$1

    Check if argument selinux=0 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline  oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_proc_cmdline:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/proc/cmdlineBOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0
    Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-82532-3

    Configure SELinux Policy

    Rule IDxccdf_org.ssgproject.content_rule_selinux_policytype
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-selinux_policytype:def:1
    Time2025-10-23T19:36:34+00:00
    Severitymedium
    Identifiers:

    CCE-82532-3

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9
    cobit5APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01
    cui3.1.2, 3.7.2
    disaCCI-002696
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
    isa-62443-20094.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
    nistAC-3, AC-3(3)(a), AU-9, SC-7(21)
    nist-csfDE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4
    osppFMT_MOF_EXT.1
    os-srgSRG-OS-000445-GPOS-00199
    app-srg-ctrSRG-APP-000233-CTR-000585, CNTR-OS-000540
    anssiR46, R64
    bsiAPP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21
    pcidss41.2.6, 1.2
    Description
    The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:
    SELINUXTYPE=targeted
           
    Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
    Rationale
    Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

    Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to targeted.
    OVAL test results details

    tests the value of SELINUXTYPE setting in the /etc/selinux/config file  oval:ssg-test_selinux_policytype:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/selinux/configSELINUXTYPE=targeted

    The configuration file /etc/selinux/config exists for selinux_policytype  oval:ssg-test_selinux_policytype_config_file_exists:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
    not evaluated/etc/selinux/configregular001263rw-r--r-- 
    Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-82531-5

    Ensure SELinux State is Enforcing

    Rule IDxccdf_org.ssgproject.content_rule_selinux_state
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-selinux_state:def:1
    Time2025-10-23T19:36:34+00:00
    Severityhigh
    Identifiers:

    CCE-82531-5

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9
    cobit5APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01
    cui3.1.2, 3.7.2
    disaCCI-002696, CCI-001084
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e)
    isa-62443-20094.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
    nistAC-3, AC-3(3)(a), AU-9, SC-7(21)
    nist-csfDE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4
    osppFMT_MOF_EXT.1
    os-srgSRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068
    anssiR37, R79
    bsiAPP.4.4.A4, SYS.1.6.A3, SYS.1.6.A18, SYS.1.6.A21
    pcidss41.2.6, 1.2
    app-srg-ctrCNTR-OS-000540
    Description
    The SELinux state should be set to enforcing at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:
    SELINUX=enforcing
           
    Rationale
    Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
    OVAL test results details

    /selinux/enforce is 1  oval:ssg-test_etc_selinux_config:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/selinux/configSELINUX=enforcing
    Enable the NTP Daemonxccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled mediumCCE-82682-6

    Enable the NTP Daemon

    Rule IDxccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-service_chronyd_or_ntpd_enabled:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    Identifiers:

    CCE-82682-6

    References:
    cis-csc1, 14, 15, 16, 3, 5, 6
    cobit5APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
    cui3.3.7
    disaCCI-000160
    isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
    ism0988, 1405
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
    nistCM-6(a), AU-8(1)(a), AU-12(1)
    nist-csfPR.PT-1
    pcidssReq-10.4.1
    app-srg-ctrSRG-APP-000116-CTR-000235, CNTR-OS-000230, CNTR-OS-000240
    anssiR71
    pcidss410.6.1, 10.6
    Description
    As a user with administrator privileges, log into a node in the relevant pool:
    $ oc debug node/$NODE_NAME
    
    At the
    sh-4.4#
    prompt, run:
    # chroot /host
    
    Run the following command to determine the current status of the chronyd service:
    $ sudo systemctl is-active chronyd
    If the service is running, it should return the following:
    active
    Note: The chronyd daemon is enabled by default.

    As a user with administrator privileges, log into a node in the relevant pool:
    $ oc debug node/$NODE_NAME
    
    At the
    sh-4.4#
    prompt, run:
    # chroot /host
    
    Run the following command to determine the current status of the ntpd service:
    $ sudo systemctl is-active ntpd
    If the service is running, it should return the following:
    active
    Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for guidance which NTP daemon to choose depending on the environment used.
    Rationale
    Enabling some of chronyd or ntpd services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

    The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated.
    OVAL test results details

    package chrony is installed  oval:ssg-test_service_chronyd_package_chrony_installed:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedchronyx86_64(none)1.el94.6.10:4.6.1-1.el9199e2f91fd431d51chrony-0:4.6.1-1.el9.x86_64

    Test that the chronyd service is running  oval:ssg-test_service_running_chronyd:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonUnitPropertyValue
    truechronyd.serviceActiveStateactive

    systemd test  oval:ssg-test_multi_user_wants_chronyd:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
    truemulti-user.targetbasic.targetvar.mountsysinit.targetintegritysetup.targetsystemd-sysctl.serviceldconfig.servicesystemd-pstore.servicesystemd-binfmt.servicesystemd-update-utmp.servicesystemd-journal-catalog-update.servicesystemd-journald.servicedev-hugepages.mountsystemd-pcrphase.serviceselinux-autorelabel-mark.servicelocal-fs.targetostree-remount.servicetmp.mountboot.mountsystemd-remount-fs.servicesystemd-pcrmachine.servicecryptsetup.targetclevis-luks-askpass.pathsystemd-tmpfiles-setup-dev.servicesystemd-ask-password-console.pathlvm2-lvmpolld.socketdev-mqueue.mountsystemd-tmpfiles-setup.servicesys-kernel-tracing.mountsystemd-udev-trigger.servicesystemd-hwdb-update.servicesystemd-journal-flush.servicedracut-shutdown.servicesys-kernel-debug.mountveritysetup.targetsystemd-repart.servicesys-fs-fuse-connections.mountsystemd-machine-id-commit.serviceignition-delete-config.servicesystemd-update-done.servicesys-kernel-config.mountswap.targetkmod-static-nodes.servicesystemd-network-generator.servicesystemd-pcrphase-sysinit.serviceiscsi-onboot.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-udevd.servicesystemd-boot-update.servicemultipathd.servicesystemd-sysusers.servicecoreos-printk-quiet.servicesystemd-random-seed.servicesystemd-boot-random-seed.serviceproc-sys-fs-binfmt_misc.automountslices.target-.slicesystem.slicecoreos-ignition-firstboot-complete.servicemicrocode.servicetimers.targetunbound-anchor.timersystemd-tmpfiles-clean.timerlogrotate.timerpaths.targetsockets.targetiscsid.socketsystemd-initctl.socketiscsiuio.socketsystemd-coredump.socketdbus.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketsystemd-udevd-control.socketsystemd-journald.socketsystemd-udevd-kernel.socketcoreos-update-ca-trust.serviceafterburn-sshkeys.targetgetty.targetserial-getty@ttyS0.servicegetty@tty1.servicechronyd.servicecoreos-liveiso-success.servicesystemd-update-utmp-runlevel.serviceconsole-login-helper-messages-gensnippet-ssh-keys.serviceNetworkManager.serviceremote-fs.targetafterburn-firstboot-checkin.servicekubelet-cleanup.serviceostree-readonly-sysroot-migration.serviceirqbalance.servicesystemd-logind.servicemdmonitor.servicecrio-subid.servicesystemd-ask-password-wall.pathafterburn-checkin.servicesssd.servicerpm-ostree-fix-shadow-mode.serviceauditd.serviceostree-boot-complete.servicevmtoolsd.servicekubelet.servicerhsmcertd.servicebootc-status-updated.pathgcp-routes.serviceopenvswitch.servicebootc-status-updated-onboot.targetcoreos-ignition-delete-config.serviceremote-cryptsetup.targetcoreos-platform-chrony-config.servicesshd.servicesystemd-user-sessions.servicecoreos-ignition-write-issues.service

    systemd test  oval:ssg-test_multi_user_wants_chronyd_socket:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
    falsemulti-user.targetbasic.targetvar.mountsysinit.targetintegritysetup.targetsystemd-sysctl.serviceldconfig.servicesystemd-pstore.servicesystemd-binfmt.servicesystemd-update-utmp.servicesystemd-journal-catalog-update.servicesystemd-journald.servicedev-hugepages.mountsystemd-pcrphase.serviceselinux-autorelabel-mark.servicelocal-fs.targetostree-remount.servicetmp.mountboot.mountsystemd-remount-fs.servicesystemd-pcrmachine.servicecryptsetup.targetclevis-luks-askpass.pathsystemd-tmpfiles-setup-dev.servicesystemd-ask-password-console.pathlvm2-lvmpolld.socketdev-mqueue.mountsystemd-tmpfiles-setup.servicesys-kernel-tracing.mountsystemd-udev-trigger.servicesystemd-hwdb-update.servicesystemd-journal-flush.servicedracut-shutdown.servicesys-kernel-debug.mountveritysetup.targetsystemd-repart.servicesys-fs-fuse-connections.mountsystemd-machine-id-commit.serviceignition-delete-config.servicesystemd-update-done.servicesys-kernel-config.mountswap.targetkmod-static-nodes.servicesystemd-network-generator.servicesystemd-pcrphase-sysinit.serviceiscsi-onboot.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-udevd.servicesystemd-boot-update.servicemultipathd.servicesystemd-sysusers.servicecoreos-printk-quiet.servicesystemd-random-seed.servicesystemd-boot-random-seed.serviceproc-sys-fs-binfmt_misc.automountslices.target-.slicesystem.slicecoreos-ignition-firstboot-complete.servicemicrocode.servicetimers.targetunbound-anchor.timersystemd-tmpfiles-clean.timerlogrotate.timerpaths.targetsockets.targetiscsid.socketsystemd-initctl.socketiscsiuio.socketsystemd-coredump.socketdbus.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketsystemd-udevd-control.socketsystemd-journald.socketsystemd-udevd-kernel.socketcoreos-update-ca-trust.serviceafterburn-sshkeys.targetgetty.targetserial-getty@ttyS0.servicegetty@tty1.servicechronyd.servicecoreos-liveiso-success.servicesystemd-update-utmp-runlevel.serviceconsole-login-helper-messages-gensnippet-ssh-keys.serviceNetworkManager.serviceremote-fs.targetafterburn-firstboot-checkin.servicekubelet-cleanup.serviceostree-readonly-sysroot-migration.serviceirqbalance.servicesystemd-logind.servicemdmonitor.servicecrio-subid.servicesystemd-ask-password-wall.pathafterburn-checkin.servicesssd.servicerpm-ostree-fix-shadow-mode.serviceauditd.serviceostree-boot-complete.servicevmtoolsd.servicekubelet.servicerhsmcertd.servicebootc-status-updated.pathgcp-routes.serviceopenvswitch.servicebootc-status-updated-onboot.targetcoreos-ignition-delete-config.serviceremote-cryptsetup.targetcoreos-platform-chrony-config.servicesshd.servicesystemd-user-sessions.servicecoreos-ignition-write-issues.service

    package ntp is installed  oval:ssg-test_service_ntpd_package_ntp_installed:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_test_service_ntpd_package_ntp_installed:obj:1 of type rpminfo_object
    Name
    ntp

    Test that the ntpd service is running  oval:ssg-test_service_running_ntpd:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_service_running_ntpd:obj:1 of type systemdunitproperty_object
    UnitProperty
    ^ntpd\.(socket|service)$ActiveState

    systemd test  oval:ssg-test_multi_user_wants_ntpd:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
    falsemulti-user.targetbasic.targetvar.mountsysinit.targetintegritysetup.targetsystemd-sysctl.serviceldconfig.servicesystemd-pstore.servicesystemd-binfmt.servicesystemd-update-utmp.servicesystemd-journal-catalog-update.servicesystemd-journald.servicedev-hugepages.mountsystemd-pcrphase.serviceselinux-autorelabel-mark.servicelocal-fs.targetostree-remount.servicetmp.mountboot.mountsystemd-remount-fs.servicesystemd-pcrmachine.servicecryptsetup.targetclevis-luks-askpass.pathsystemd-tmpfiles-setup-dev.servicesystemd-ask-password-console.pathlvm2-lvmpolld.socketdev-mqueue.mountsystemd-tmpfiles-setup.servicesys-kernel-tracing.mountsystemd-udev-trigger.servicesystemd-hwdb-update.servicesystemd-journal-flush.servicedracut-shutdown.servicesys-kernel-debug.mountveritysetup.targetsystemd-repart.servicesys-fs-fuse-connections.mountsystemd-machine-id-commit.serviceignition-delete-config.servicesystemd-update-done.servicesys-kernel-config.mountswap.targetkmod-static-nodes.servicesystemd-network-generator.servicesystemd-pcrphase-sysinit.serviceiscsi-onboot.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-udevd.servicesystemd-boot-update.servicemultipathd.servicesystemd-sysusers.servicecoreos-printk-quiet.servicesystemd-random-seed.servicesystemd-boot-random-seed.serviceproc-sys-fs-binfmt_misc.automountslices.target-.slicesystem.slicecoreos-ignition-firstboot-complete.servicemicrocode.servicetimers.targetunbound-anchor.timersystemd-tmpfiles-clean.timerlogrotate.timerpaths.targetsockets.targetiscsid.socketsystemd-initctl.socketiscsiuio.socketsystemd-coredump.socketdbus.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketsystemd-udevd-control.socketsystemd-journald.socketsystemd-udevd-kernel.socketcoreos-update-ca-trust.serviceafterburn-sshkeys.targetgetty.targetserial-getty@ttyS0.servicegetty@tty1.servicechronyd.servicecoreos-liveiso-success.servicesystemd-update-utmp-runlevel.serviceconsole-login-helper-messages-gensnippet-ssh-keys.serviceNetworkManager.serviceremote-fs.targetafterburn-firstboot-checkin.servicekubelet-cleanup.serviceostree-readonly-sysroot-migration.serviceirqbalance.servicesystemd-logind.servicemdmonitor.servicecrio-subid.servicesystemd-ask-password-wall.pathafterburn-checkin.servicesssd.servicerpm-ostree-fix-shadow-mode.serviceauditd.serviceostree-boot-complete.servicevmtoolsd.servicekubelet.servicerhsmcertd.servicebootc-status-updated.pathgcp-routes.serviceopenvswitch.servicebootc-status-updated-onboot.targetcoreos-ignition-delete-config.serviceremote-cryptsetup.targetcoreos-platform-chrony-config.servicesshd.servicesystemd-user-sessions.servicecoreos-ignition-write-issues.service

    systemd test  oval:ssg-test_multi_user_wants_ntpd_socket:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
    falsemulti-user.targetbasic.targetvar.mountsysinit.targetintegritysetup.targetsystemd-sysctl.serviceldconfig.servicesystemd-pstore.servicesystemd-binfmt.servicesystemd-update-utmp.servicesystemd-journal-catalog-update.servicesystemd-journald.servicedev-hugepages.mountsystemd-pcrphase.serviceselinux-autorelabel-mark.servicelocal-fs.targetostree-remount.servicetmp.mountboot.mountsystemd-remount-fs.servicesystemd-pcrmachine.servicecryptsetup.targetclevis-luks-askpass.pathsystemd-tmpfiles-setup-dev.servicesystemd-ask-password-console.pathlvm2-lvmpolld.socketdev-mqueue.mountsystemd-tmpfiles-setup.servicesys-kernel-tracing.mountsystemd-udev-trigger.servicesystemd-hwdb-update.servicesystemd-journal-flush.servicedracut-shutdown.servicesys-kernel-debug.mountveritysetup.targetsystemd-repart.servicesys-fs-fuse-connections.mountsystemd-machine-id-commit.serviceignition-delete-config.servicesystemd-update-done.servicesys-kernel-config.mountswap.targetkmod-static-nodes.servicesystemd-network-generator.servicesystemd-pcrphase-sysinit.serviceiscsi-onboot.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-udevd.servicesystemd-boot-update.servicemultipathd.servicesystemd-sysusers.servicecoreos-printk-quiet.servicesystemd-random-seed.servicesystemd-boot-random-seed.serviceproc-sys-fs-binfmt_misc.automountslices.target-.slicesystem.slicecoreos-ignition-firstboot-complete.servicemicrocode.servicetimers.targetunbound-anchor.timersystemd-tmpfiles-clean.timerlogrotate.timerpaths.targetsockets.targetiscsid.socketsystemd-initctl.socketiscsiuio.socketsystemd-coredump.socketdbus.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketsystemd-udevd-control.socketsystemd-journald.socketsystemd-udevd-kernel.socketcoreos-update-ca-trust.serviceafterburn-sshkeys.targetgetty.targetserial-getty@ttyS0.servicegetty@tty1.servicechronyd.servicecoreos-liveiso-success.servicesystemd-update-utmp-runlevel.serviceconsole-login-helper-messages-gensnippet-ssh-keys.serviceNetworkManager.serviceremote-fs.targetafterburn-firstboot-checkin.servicekubelet-cleanup.serviceostree-readonly-sysroot-migration.serviceirqbalance.servicesystemd-logind.servicemdmonitor.servicecrio-subid.servicesystemd-ask-password-wall.pathafterburn-checkin.servicesssd.servicerpm-ostree-fix-shadow-mode.serviceauditd.serviceostree-boot-complete.servicevmtoolsd.servicekubelet.servicerhsmcertd.servicebootc-status-updated.pathgcp-routes.serviceopenvswitch.servicebootc-status-updated-onboot.targetcoreos-ignition-delete-config.serviceremote-cryptsetup.targetcoreos-platform-chrony-config.servicesshd.servicesystemd-user-sessions.servicecoreos-ignition-write-issues.service
    Disable chrony daemon from acting as serverxccdf_org.ssgproject.content_rule_chronyd_client_only lowCCE-82465-6

    Disable chrony daemon from acting as server

    Rule IDxccdf_org.ssgproject.content_rule_chronyd_client_only
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-chronyd_client_only:def:1
    Time2025-10-23T19:36:43+00:00
    Severitylow
    Identifiers:

    CCE-82465-6

    References:
    disaCCI-000382, CCI-000381
    nistAU-8(1), AU-12(1)
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
    Description
    The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode.
    Rationale
    In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
            mode: 420
            overwrite: true
            path: /etc/chrony.conf
          - contents:
              source: data:,
            mode: 420
            overwrite: true
            path: /etc/chrony.d/.mco-keep
          - contents:
              source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
            mode: 420
            overwrite: true
            path: /etc/chrony.d/ntp-server.conf
    
    OVAL test results details

    check if port is 0 in /etc/chrony.conf  oval:ssg-test_chronyd_client_only:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_chronyd_port_value:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/chrony.conf^\s*port[\s]+(\S+)1
    Disable network management of chrony daemonxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network lowCCE-82466-4

    Disable network management of chrony daemon

    Rule IDxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-chronyd_no_chronyc_network:def:1
    Time2025-10-23T19:36:43+00:00
    Severitylow
    Identifiers:

    CCE-82466-4

    References:
    disaCCI-000382, CCI-000381
    nistCM-7(1)
    os-srgSRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
    Description
    The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.
    Rationale
    Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
            mode: 420
            overwrite: true
            path: /etc/chrony.conf
          - contents:
              source: data:,
            mode: 420
            overwrite: true
            path: /etc/chrony.d/.mco-keep
          - contents:
              source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
            mode: 420
            overwrite: true
            path: /etc/chrony.d/ntp-server.conf
    
    OVAL test results details

    check if cmdport is 0 in /etc/chrony.conf  oval:ssg-test_chronyd_no_chronyc_network:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_chronyd_cmdport_value:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/chrony.conf^\s*cmdport[\s]+(\S+)1
    Configure Time Service Maxpoll Intervalxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll mediumCCE-82684-2

    Configure Time Service Maxpoll Interval

    Rule IDxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-chronyd_or_ntpd_set_maxpoll:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    Identifiers:

    CCE-82684-2

    References:
    cis-csc1, 14, 15, 16, 3, 5, 6
    cobit5APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
    disaCCI-001890, CCI-004926, CCI-004923
    isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
    nistCM-6(a), AU-8(1)(b), AU-12(1)
    nist-csfPR.PT-1
    os-srgSRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146
    Description
    The maxpoll should be configured to 10 in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/) to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf (or /etc/chrony.d/) add the following after each server, pool or peer entry:
    maxpoll 10
           
    to server directives. If using chrony, any pool directives should be configured too.

    Note that if the remediation shipping with this content is being used, the MachineConfig shipped does not include reference NTP servers to point to. It is up to the admin to set these which will vary depending on the cluster's requirements.

    The aforementioned remediation does include the directory /etc/chrony.d which would allow the creation of configuration files to set these servers.

    If we'd like to set a configuration like the following:
    pool 2.rhel.pool.ntp.org iburst
    
    server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10
    
    This could be done with to the following manifest:
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-chrony-servers
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
            mode: 0600
            path: /etc/chrony.d/10-rhel-pool-and-servers.conf
            overwrite: true
    
    Note that this needs to be done for each
    MachineConfigPool
    Rationale
    Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
            mode: 420
            overwrite: true
            path: /etc/chrony.conf
          - contents:
              source: data:,
            mode: 420
            overwrite: true
            path: /etc/chrony.d/.mco-keep
          - contents:
              source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
            mode: 420
            overwrite: true
            path: /etc/chrony.d/ntp-server.conf
    
    OVAL test results details

    check if maxpoll is set in /etc/ntp.conf  oval:ssg-test_ntp_set_maxpoll:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_ntp_set_maxpoll:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/ntp.conf^server[\s]+[\S]+.*maxpoll[\s]+(\d+)1

    check if all server entries have maxpoll set in /etc/ntp.conf  oval:ssg-test_ntp_all_server_has_maxpoll:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/ntp.conf^server[\s]+[\S]+[\s]+(.*)1

    check if maxpoll is set in /etc/chrony.conf or /etc/chrony.d/  oval:ssg-test_chrony_set_maxpoll:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_chrony_set_maxpoll:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^(/etc/chrony\.conf|/etc/chrony\.d/.+\.conf)$^(?:server|pool|peer)[\s]+[\S]+.*maxpoll[\s]+(\d+)1

    check if all server entries have maxpoll set in /etc/chrony.conf or /etc/chrony.d/  oval:ssg-test_chrony_all_server_has_maxpoll:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/chrony.confpool 2.rhel.pool.ntp.org iburst
    Specify Additional Remote NTP Serversxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers mediumCCE-82685-9

    Specify Additional Remote NTP Servers

    Rule IDxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-chronyd_or_ntpd_specify_multiple_servers:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    Identifiers:

    CCE-82685-9

    References:
    cis-csc1, 14, 15, 16, 3, 5, 6
    cobit5APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
    isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
    ism0988, 1405
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
    nistCM-6(a), AU-8(1)(a), AU-8(2), AU-12(1)
    nist-csfPR.PT-1
    pcidssReq-10.4.3
    Description
    Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux CoreOS 4 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
    Additional NTP servers can be specified for time synchronization. To do so, perform the following:
    • if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
    • if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.
    Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver:
    server ntpserver
           

    Note that if the remediation shipping with this content is being used, the MachineConfig shipped does not include reference NTP servers to point to. It is up to the admin to set these which will vary depending on the cluster's requirements.

    The aforementioned remediation does include the directory /etc/chrony.d which would allow the creation of configuration files to set these servers.

    If we'd like to set a configuration like the following:
    pool 2.rhel.pool.ntp.org iburst
    
    server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10
    
    This could be done with to the following manifest:
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-chrony-servers
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
            mode: 0600
            path: /etc/chrony.d/10-rhel-pool-and-servers.conf
            overwrite: true
    
    Note that this needs to be done for each
    MachineConfigPool
    Rationale
    Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
            mode: 420
            overwrite: true
            path: /etc/chrony.conf
          - contents:
              source: data:,
            mode: 420
            overwrite: true
            path: /etc/chrony.d/.mco-keep
          - contents:
              source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
            mode: 420
            overwrite: true
            path: /etc/chrony.d/ntp-server.conf
    
    OVAL test results details

    Ensure more than one chronyd NTP server is set  oval:ssg-test_chronyd_multiple_servers:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_chronyd_multiple_servers:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/chrony\.(conf|d/.+\.conf)$^([\s]*server[\s]+.+$){2,}$1

    Ensure more than one ntpd NTP server is set  oval:ssg-test_ntpd_multiple_servers:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_ntpd_multiple_servers:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/ntp.conf^([\s]*server[\s]+.+$){2,}$1
    Specify a Remote NTP Serverxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server mediumCCE-82683-4

    Specify a Remote NTP Server

    Rule IDxccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-chronyd_or_ntpd_specify_remote_server:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    Identifiers:

    CCE-82683-4

    References:
    cis-csc1, 14, 15, 16, 3, 5, 6
    cobit5APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
    cui3.3.7
    disaCCI-000160, CCI-001891
    isa-62443-20094.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
    nistCM-6(a), AU-8(1)(a), AU-8(2), AU-12(1)
    nist-csfPR.PT-1
    pcidssReq-10.4.1, Req-10.4.3
    app-srg-ctrSRG-APP-000116-CTR-000235, CNTR-OS-000230, CNTR-OS-000240
    Description
    Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux CoreOS 4 system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
    To specify a remote NTP server for time synchronization, perform the following:
    • if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
    • if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.
    Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver:
    server ntpserver
           
    This instructs the NTP software to contact that remote server to obtain time data.

    Note that if the remediation shipping with this content is being used, the MachineConfig shipped does not include reference NTP servers to point to. It is up to the admin to set these which will vary depending on the cluster's requirements.

    The aforementioned remediation does include the directory /etc/chrony.d which would allow the creation of configuration files to set these servers.

    If we'd like to set a configuration like the following:
    pool 2.rhel.pool.ntp.org iburst
    
    server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
    server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10
    
    This could be done with to the following manifest:
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-chrony-servers
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
            mode: 0600
            path: /etc/chrony.d/10-rhel-pool-and-servers.conf
            overwrite: true
    
    Note that this needs to be done for each
    MachineConfigPool
    Rationale
    Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events.
    OVAL test results details

    Ensure at least one NTP server is set  oval:ssg-test_chronyd_remote_server:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/chrony.confpool 2.rhel.pool.ntp.org iburst

    Ensure at least one ntpd NTP server is set  oval:ssg-test_ntp_remote_server:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_ntp_remote_server:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/ntp.conf^[\s]*server[\s]+.+$1
    Set SSH Client Alive Count Maxxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-82464-9

    Set SSH Client Alive Count Max

    Rule IDxccdf_org.ssgproject.content_rule_sshd_set_keepalive
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sshd_set_keepalive:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    Identifiers:

    CCE-82464-9

    References:
    cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8
    cjis5.5.6
    cobit5APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
    cui3.1.11
    disaCCI-001133, CCI-002361
    hipaa164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii)
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nerc-cipCIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
    nistAC-2(5), AC-12, AC-17(a), SC-10, CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2
    pcidssReq-8.1.8
    os-srgSRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
    pcidss48.2.8, 8.2
    Description
    The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message.
    Rationale
    This ensures a user login will be terminated as soon as the ClientAliveInterval is reached.

    Complexity:low
    Disruption:low
    Reboot:false
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0AInclude%20/etc/ssh/sshd_config.d/%2A.conf%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0ALogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
            mode: 0600
            path: /etc/ssh/sshd_config
            overwrite: true
    
    OVAL test results details

    Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    falseoval:ssg-sshd_required:var:10

    Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-sshd_required:var:10

    package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedopenssh-serverx86_64(none)45.el98.7p10:8.7p1-45.el9199e2f91fd431d51openssh-server-0:8.7p1-45.el9.x86_64

    Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    falseoval:ssg-sshd_required:var:10

    Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-sshd_required:var:10

    package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedopenssh-serverx86_64(none)45.el98.7p10:8.7p1-45.el9199e2f91fd431d51openssh-server-0:8.7p1-45.el9.x86_64

    tests the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_set_keepalive:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_sshd_set_keepalive:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/ssh/sshd_config^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

    Verify that the value of ClientAliveCountMax is present  oval:ssg-test_ClientAliveCountMax_present_sshd_set_keepalive:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_collection_obj_sshd_set_keepalive:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-obj_sshd_set_keepalive:obj:1
    Set SSH Client Alive Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout mediumCCE-82549-7

    Set SSH Client Alive Interval

    Rule IDxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sshd_set_idle_timeout:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    Identifiers:

    CCE-82549-7

    References:
    cis-csc1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8
    cjis5.5.6
    cobit5APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10
    cui3.1.11
    disaCCI-001133, CCI-002361, CCI-002891
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nerc-cipCIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
    nistCM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2
    pcidssReq-8.1.8
    os-srgSRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175
    pcidss48.2.8, 8.2
    Description
    SSH allows administrators to set a network responsiveness timeout interval. After this interval has passed, the unresponsive client will be automatically logged out.

    To set this timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
    ClientAliveInterval 300
            


    The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

    If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
    Rationale
    Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.
    Warnings
    warning  SSH disconnecting unresponsive clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration.
    warning  Following conditions may prevent the SSH session to time out:
    • Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.
    • Any scp or sftp activity by the same user to the host resets the timeout.

    Complexity:low
    Disruption:low
    Reboot:false
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0AInclude%20/etc/ssh/sshd_config.d/%2A.conf%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0ALogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
            mode: 0600
            path: /etc/ssh/sshd_config
            overwrite: true
    
    OVAL test results details

    Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    falseoval:ssg-sshd_required:var:10

    Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-sshd_required:var:10

    package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedopenssh-serverx86_64(none)45.el98.7p10:8.7p1-45.el9199e2f91fd431d51openssh-server-0:8.7p1-45.el9.x86_64

    Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    falseoval:ssg-sshd_required:var:10

    Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-sshd_required:var:10

    package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedopenssh-serverx86_64(none)45.el98.7p10:8.7p1-45.el9199e2f91fd431d51openssh-server-0:8.7p1-45.el9.x86_64

    timeout is configured  oval:ssg-test_sshd_idle_timeout:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_sshd_idle_timeout:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/ssh/sshd_config^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$1

    Verify that the value of ClientAliveInterval is present  oval:ssg-test_clientaliveinterval_present:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_collection_obj_sshd_set_idle_timeout:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-object_sshd_idle_timeout:obj:1

    Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    falseoval:ssg-sshd_required:var:10

    Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-sshd_required:var:10

    package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedopenssh-serverx86_64(none)45.el98.7p10:8.7p1-45.el9199e2f91fd431d51openssh-server-0:8.7p1-45.el9.x86_64

    Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    falseoval:ssg-sshd_required:var:10

    Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-sshd_required:var:10

    package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedopenssh-serverx86_64(none)45.el98.7p10:8.7p1-45.el9199e2f91fd431d51openssh-server-0:8.7p1-45.el9.x86_64

    tests the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_set_keepalive:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_sshd_set_keepalive:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/ssh/sshd_config^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

    Verify that the value of ClientAliveCountMax is present  oval:ssg-test_ClientAliveCountMax_present_sshd_set_keepalive:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_collection_obj_sshd_set_keepalive:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-obj_sshd_set_keepalive:obj:1
    Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-82665-1

    Disable SSH Support for .rhosts Files

    Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_rhosts
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sshd_disable_rhosts:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    Identifiers:

    CCE-82665-1

    References:
    cis-csc11, 12, 14, 15, 16, 18, 3, 5, 9
    cjis5.5.6
    cobit5BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06
    cui3.1.12
    disaCCI-000366
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6
    iso27001-2013A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nistAC-17(a), CM-7(a), CM-7(b), CM-6(a)
    nist-csfPR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3
    os-srgSRG-OS-000480-GPOS-00227
    pcidss42.2.6, 2.2
    Description
    SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
    The default SSH configuration disables support for .rhosts. The appropriate configuration is used if no value is set for IgnoreRhosts.
    To explicitly disable support for .rhosts files, add or correct the following line in /etc/ssh/sshd_config:
    IgnoreRhosts yes
    Rationale
    SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.

    Complexity:low
    Disruption:low
    Reboot:false
    Strategy:restrict
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0AInclude%20/etc/ssh/sshd_config.d/%2A.conf%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0ALogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
            mode: 0600
            path: /etc/ssh/sshd_config
            overwrite: true
    
    OVAL test results details

    Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    falseoval:ssg-sshd_required:var:10

    Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-sshd_required:var:10

    package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedopenssh-serverx86_64(none)45.el98.7p10:8.7p1-45.el9199e2f91fd431d51openssh-server-0:8.7p1-45.el9.x86_64

    Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    falseoval:ssg-sshd_required:var:10

    Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonVar refValue
    trueoval:ssg-sshd_required:var:10

    package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedopenssh-serverx86_64(none)45.el98.7p10:8.7p1-45.el9199e2f91fd431d51openssh-server-0:8.7p1-45.el9.x86_64

    tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_rhosts:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_sshd_disable_rhosts:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/ssh/sshd_config^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1

    Verify that the value of IgnoreRhosts is present  oval:ssg-test_IgnoreRhosts_present_sshd_disable_rhosts:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_collection_obj_sshd_disable_rhosts:obj:1 of type textfilecontent54_object
    Set
    oval:ssg-obj_sshd_disable_rhosts:obj:1
    Limit Users' SSH Accessxccdf_org.ssgproject.content_rule_sshd_limit_user_access unknownCCE-82664-4

    Limit Users' SSH Access

    Rule IDxccdf_org.ssgproject.content_rule_sshd_limit_user_access
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-sshd_limit_user_access:def:1
    Time2025-10-23T19:36:43+00:00
    Severityunknown
    Identifiers:

    CCE-82664-4

    References:
    cis-csc11, 12, 14, 15, 16, 18, 3, 5
    cobit5DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06
    cui3.1.12
    isa-62443-20094.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
    isa-62443-2013SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
    iso27001-2013A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3
    nistAC-3, CM-6(a)
    nist-csfPR.AC-4, PR.AC-6, PR.PT-3
    pcidssReq-2.2.4
    pcidss42.2.6, 2.2
    Description
    By default, the SSH configuration allows any user with an account to access the system. There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: - AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically allowing a user's access only from a particular host, the entry can be specified in the form of user@host. - AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable. - DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host. - DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.
    Rationale
    Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system.
    Warnings
    warning  Automated remediation is not available for this configuration check because each system has unique user names and group names.
    OVAL test results details

    Check if there is an AllowUsers entry  oval:ssg-test_allow_user_is_configured:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_allow_user:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\/etc\/ssh\/sshd_config.*$(?i)^[ ]*AllowUsers[ ]+((?:[^ \n]+[ ]*)+)$1

    Check if there is an AllowGroups entry  oval:ssg-test_allow_group_is_configured:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_allow_group:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/ssh/sshd_config.*$(?i)^[ ]*AllowGroups[ ]+((?:[^ \n]+[ ]*)+)$1

    Check if there is a DenyUsers entry  oval:ssg-test_deny_user_is_configured:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_deny_user:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/ssh/sshd_config.*$(?i)^[ ]*DenyUsers[ ]+((?:[^ \n]+[ ]*)+)$1

    Check if there is a DenyGroups entry  oval:ssg-test_deny_group_is_configured:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_deny_group:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/ssh/sshd_config.*$(?i)^[ ]*DenyGroups[ ]+((?:[^ \n]+[ ]*)+)$1
    Verify Group Who Owns SSH Server config filexccdf_org.ssgproject.content_rule_file_groupowner_sshd_config medium

    Verify Group Who Owns SSH Server config file

    Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_sshd_config
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-file_groupowner_sshd_config:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    References:
    cis-csc12, 13, 14, 15, 16, 18, 3, 5
    cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
    disaCCI-000366
    isa-62443-20094.3.3.7.3
    isa-62443-2013SR 2.1, SR 5.2
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
    nistAC-17(a), CM-6(a), AC-6(1)
    nist-csfPR.AC-4, PR.DS-5
    os-srgSRG-OS-000480-GPOS-00227
    anssiR50
    Description
    To properly set the group owner of /etc/ssh/sshd_config, run the command:
    $ sudo chgrp root /etc/ssh/sshd_config
    Rationale
    Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
    OVAL test results details

    Testing group ownership of /etc/ssh/sshd_config  oval:ssg-test_file_groupowner_sshd_config_0:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_file_groupowner_sshd_config_0:obj:1 of type file_object
    FilepathFilterFilter
    /etc/ssh/sshd_configoval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1
    Verify Owner on SSH Server config filexccdf_org.ssgproject.content_rule_file_owner_sshd_config medium

    Verify Owner on SSH Server config file

    Rule IDxccdf_org.ssgproject.content_rule_file_owner_sshd_config
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-file_owner_sshd_config:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    References:
    cis-csc12, 13, 14, 15, 16, 18, 3, 5
    cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
    disaCCI-000366
    isa-62443-20094.3.3.7.3
    isa-62443-2013SR 2.1, SR 5.2
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
    nistAC-17(a), CM-6(a), AC-6(1)
    nist-csfPR.AC-4, PR.DS-5
    os-srgSRG-OS-000480-GPOS-00227
    anssiR50
    Description
    To properly set the owner of /etc/ssh/sshd_config, run the command:
    $ sudo chown root /etc/ssh/sshd_config 
    Rationale
    Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
    OVAL test results details

    Testing user ownership of /etc/ssh/sshd_config  oval:ssg-test_file_owner_sshd_config_0:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_file_owner_sshd_config_0:obj:1 of type file_object
    FilepathFilterFilter
    /etc/ssh/sshd_configoval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1
    Verify Permissions on SSH Server config filexccdf_org.ssgproject.content_rule_file_permissions_sshd_config medium

    Verify Permissions on SSH Server config file

    Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_config
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-file_permissions_sshd_config:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    References:
    cis-csc12, 13, 14, 15, 16, 18, 3, 5
    cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
    disaCCI-000366
    isa-62443-20094.3.3.7.3
    isa-62443-2013SR 2.1, SR 5.2
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
    nistAC-17(a), CM-6(a), AC-6(1)
    nist-csfPR.AC-4, PR.DS-5
    os-srgSRG-OS-000480-GPOS-00227
    anssiR50
    pcidss42.2.6, 2.2
    Description
    To properly set the permissions of /etc/ssh/sshd_config, run the command:
    $ sudo chmod 0600 /etc/ssh/sshd_config
    Rationale
    Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
    OVAL test results details

    Testing mode of /etc/ssh/sshd_config  oval:ssg-test_file_permissions_sshd_config_0:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_file_permissions_sshd_config_0:obj:1 of type file_object
    FilepathFilterFilter
    /etc/ssh/sshd_configoval:ssg-exclude_symlinks__sshd_config:ste:1oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1
    Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key medium

    Verify Permissions on SSH Server Private *_key Key Files

    Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-file_permissions_sshd_private_key:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    References:
    cis-csc12, 13, 14, 15, 16, 18, 3, 5
    cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
    cui3.1.13, 3.13.10
    disaCCI-000366
    isa-62443-20094.3.3.7.3
    isa-62443-2013SR 2.1, SR 5.2
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
    nistAC-17(a), CM-6(a), AC-6(1)
    nist-csfPR.AC-4, PR.DS-5
    pcidssReq-2.2.4
    os-srgSRG-OS-000480-GPOS-00227
    anssiR50
    pcidss42.2.6, 2.2
    Description
    SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. If those files are owned by the root user and the root group, they have to have the 0640 permission or stricter. If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter.
    Rationale
    If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
    Warnings
    warning  Remediation is not possible at bootable container build time because SSH host keys are generated post-deployment.
    OVAL test results details

    No keys that have unsafe ownership/permissions combination exist  oval:ssg-test_no_offending_keys:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_offending_keys:obj:1 of type file_object
    PathFilenameFilterFilterFilter
    /etc/ssh.*_key$oval:ssg-exclude_symlinks__sshd_private_key:ste:1oval:ssg-filter_ssh_key_owner_root:ste:1oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1
    Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key medium

    Verify Permissions on SSH Server Public *.pub Key Files

    Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-file_permissions_sshd_pub_key:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    References:
    cis-csc12, 13, 14, 15, 16, 18, 3, 5
    cobit5APO01.06, DSS05.04, DSS05.07, DSS06.02
    cui3.1.13, 3.13.10
    disaCCI-000366
    isa-62443-20094.3.3.7.3
    isa-62443-2013SR 2.1, SR 5.2
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
    nistAC-17(a), CM-6(a), AC-6(1)
    nist-csfPR.AC-4, PR.DS-5
    pcidssReq-2.2.4
    os-srgSRG-OS-000480-GPOS-00227
    anssiR50
    pcidss42.2.6, 2.2
    Description
    To properly set the permissions of /etc/ssh/*.pub, run the command:
    $ sudo chmod 0644 /etc/ssh/*.pub
    Rationale
    If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
    Warnings
    warning  Remediation is not possible at bootable container build time because SSH host keys are generated post-deployment.
    OVAL test results details

    Testing mode of /etc/ssh/  oval:ssg-test_file_permissions_sshd_pub_key_0:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1 of type file_object
    PathFilenameFilterFilter
    /etc/ssh^.*\.pub$oval:ssg-exclude_symlinks__sshd_pub_key:ste:1oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1
    Install usbguard Packagexccdf_org.ssgproject.content_rule_package_usbguard_installed mediumCCE-82524-0

    Install usbguard Package

    Rule IDxccdf_org.ssgproject.content_rule_package_usbguard_installed
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-package_usbguard_installed:def:1
    Time2025-10-23T19:36:43+00:00
    Severitymedium
    Identifiers:

    CCE-82524-0

    References:
    disaCCI-001958, CCI-003959
    ism1418
    nistCM-8(3), IA-3
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000378-GPOS-00163
    app-srg-ctrSRG-APP-000141-CTR-000315, CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030
    Description
    The usbguard package can be installed with the following manifest:
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-usbguard-install
    spec:
      config:
        ignition:
          version: 3.1.0
      extensions:
        - usbguard
    

    This will install the usbguard package in all the nodes labeled with the "master" role.

    Note that this needs to be done for each MachineConfigPool

    For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

    Rationale
    usbguard is a software framework that helps to protect against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
      extensions:
        - usbguard
    
    OVAL test results details

    package usbguard is installed  oval:ssg-test_package_usbguard_installed:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_test_package_usbguard_installed:obj:1 of type rpminfo_object
    Name
    usbguard
    Enable the USBGuard Servicexccdf_org.ssgproject.content_rule_service_usbguard_enabled mediumCCE-82537-2

    Enable the USBGuard Service

    Rule IDxccdf_org.ssgproject.content_rule_service_usbguard_enabled
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-service_usbguard_enabled:def:1
    Time2025-10-23T19:36:48+00:00
    Severitymedium
    Identifiers:

    CCE-82537-2

    References:
    disaCCI-001958, CCI-003959
    ism1418
    nistCM-8(3)(a), IA-3
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000378-GPOS-00163
    app-srg-ctrSRG-APP-000141-CTR-000315, CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030
    Description
    The USBGuard service should be enabled. The usbguard service can be enabled with the following manifest:
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-usbguard-enable
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
          - name: usbguard.service
            enabled: true
    

    This will enable the usbguard service in all the nodes labeled with the "master" role.

    Note that this needs to be done for each MachineConfigPool

    For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

    Rationale
    The usbguard service must be running in order to enforce the USB device authorization policy for all USB devices.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      annotations:
        complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
          - name: usbguard.service
            enabled: true
    
    OVAL test results details

    package usbguard is installed  oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1 of type rpminfo_object
    Name
    usbguard

    Test that the usbguard service is running  oval:ssg-test_service_running_usbguard:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_service_running_usbguard:obj:1 of type systemdunitproperty_object
    UnitProperty
    ^usbguard\.(socket|service)$ActiveState

    systemd test  oval:ssg-test_multi_user_wants_usbguard:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
    falsemulti-user.targetbasic.targetvar.mountsysinit.targetintegritysetup.targetsystemd-sysctl.serviceldconfig.servicesystemd-pstore.servicesystemd-binfmt.servicesystemd-update-utmp.servicesystemd-journal-catalog-update.servicesystemd-journald.servicedev-hugepages.mountsystemd-pcrphase.serviceselinux-autorelabel-mark.servicelocal-fs.targetostree-remount.servicetmp.mountboot.mountsystemd-remount-fs.servicesystemd-pcrmachine.servicecryptsetup.targetclevis-luks-askpass.pathsystemd-tmpfiles-setup-dev.servicesystemd-ask-password-console.pathlvm2-lvmpolld.socketdev-mqueue.mountsystemd-tmpfiles-setup.servicesys-kernel-tracing.mountsystemd-udev-trigger.servicesystemd-hwdb-update.servicesystemd-journal-flush.servicedracut-shutdown.servicesys-kernel-debug.mountveritysetup.targetsystemd-repart.servicesys-fs-fuse-connections.mountsystemd-machine-id-commit.serviceignition-delete-config.servicesystemd-update-done.servicesys-kernel-config.mountswap.targetkmod-static-nodes.servicesystemd-network-generator.servicesystemd-pcrphase-sysinit.serviceiscsi-onboot.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-udevd.servicesystemd-boot-update.servicemultipathd.servicesystemd-sysusers.servicecoreos-printk-quiet.servicesystemd-random-seed.servicesystemd-boot-random-seed.serviceproc-sys-fs-binfmt_misc.automountslices.target-.slicesystem.slicecoreos-ignition-firstboot-complete.servicemicrocode.servicetimers.targetunbound-anchor.timersystemd-tmpfiles-clean.timerlogrotate.timerpaths.targetsockets.targetiscsid.socketsystemd-initctl.socketiscsiuio.socketsystemd-coredump.socketdbus.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketsystemd-udevd-control.socketsystemd-journald.socketsystemd-udevd-kernel.socketcoreos-update-ca-trust.serviceafterburn-sshkeys.targetgetty.targetserial-getty@ttyS0.servicegetty@tty1.servicechronyd.servicecoreos-liveiso-success.servicesystemd-update-utmp-runlevel.serviceconsole-login-helper-messages-gensnippet-ssh-keys.serviceNetworkManager.serviceremote-fs.targetafterburn-firstboot-checkin.servicekubelet-cleanup.serviceostree-readonly-sysroot-migration.serviceirqbalance.servicesystemd-logind.servicemdmonitor.servicecrio-subid.servicesystemd-ask-password-wall.pathafterburn-checkin.servicesssd.servicerpm-ostree-fix-shadow-mode.serviceauditd.serviceostree-boot-complete.servicevmtoolsd.servicekubelet.servicerhsmcertd.servicebootc-status-updated.pathgcp-routes.serviceopenvswitch.servicebootc-status-updated-onboot.targetcoreos-ignition-delete-config.serviceremote-cryptsetup.targetcoreos-platform-chrony-config.servicesshd.servicesystemd-user-sessions.servicecoreos-ignition-write-issues.service

    systemd test  oval:ssg-test_multi_user_wants_usbguard_socket:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
    falsemulti-user.targetbasic.targetvar.mountsysinit.targetintegritysetup.targetsystemd-sysctl.serviceldconfig.servicesystemd-pstore.servicesystemd-binfmt.servicesystemd-update-utmp.servicesystemd-journal-catalog-update.servicesystemd-journald.servicedev-hugepages.mountsystemd-pcrphase.serviceselinux-autorelabel-mark.servicelocal-fs.targetostree-remount.servicetmp.mountboot.mountsystemd-remount-fs.servicesystemd-pcrmachine.servicecryptsetup.targetclevis-luks-askpass.pathsystemd-tmpfiles-setup-dev.servicesystemd-ask-password-console.pathlvm2-lvmpolld.socketdev-mqueue.mountsystemd-tmpfiles-setup.servicesys-kernel-tracing.mountsystemd-udev-trigger.servicesystemd-hwdb-update.servicesystemd-journal-flush.servicedracut-shutdown.servicesys-kernel-debug.mountveritysetup.targetsystemd-repart.servicesys-fs-fuse-connections.mountsystemd-machine-id-commit.serviceignition-delete-config.servicesystemd-update-done.servicesys-kernel-config.mountswap.targetkmod-static-nodes.servicesystemd-network-generator.servicesystemd-pcrphase-sysinit.serviceiscsi-onboot.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-udevd.servicesystemd-boot-update.servicemultipathd.servicesystemd-sysusers.servicecoreos-printk-quiet.servicesystemd-random-seed.servicesystemd-boot-random-seed.serviceproc-sys-fs-binfmt_misc.automountslices.target-.slicesystem.slicecoreos-ignition-firstboot-complete.servicemicrocode.servicetimers.targetunbound-anchor.timersystemd-tmpfiles-clean.timerlogrotate.timerpaths.targetsockets.targetiscsid.socketsystemd-initctl.socketiscsiuio.socketsystemd-coredump.socketdbus.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketsystemd-udevd-control.socketsystemd-journald.socketsystemd-udevd-kernel.socketcoreos-update-ca-trust.serviceafterburn-sshkeys.targetgetty.targetserial-getty@ttyS0.servicegetty@tty1.servicechronyd.servicecoreos-liveiso-success.servicesystemd-update-utmp-runlevel.serviceconsole-login-helper-messages-gensnippet-ssh-keys.serviceNetworkManager.serviceremote-fs.targetafterburn-firstboot-checkin.servicekubelet-cleanup.serviceostree-readonly-sysroot-migration.serviceirqbalance.servicesystemd-logind.servicemdmonitor.servicecrio-subid.servicesystemd-ask-password-wall.pathafterburn-checkin.servicesssd.servicerpm-ostree-fix-shadow-mode.serviceauditd.serviceostree-boot-complete.servicevmtoolsd.servicekubelet.servicerhsmcertd.servicebootc-status-updated.pathgcp-routes.serviceopenvswitch.servicebootc-status-updated-onboot.targetcoreos-ignition-delete-config.serviceremote-cryptsetup.targetcoreos-platform-chrony-config.servicesshd.servicesystemd-user-sessions.servicecoreos-ignition-write-issues.service
    Log USBGuard daemon audit events using Linux Auditxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend lowCCE-82538-0

    Log USBGuard daemon audit events using Linux Audit

    Rule IDxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
    Result
    notapplicable
    Multi-check ruleno
    Time2025-10-23T19:36:48+00:00
    Severitylow
    Identifiers:

    CCE-82538-0

    References:
    disaCCI-000169
    nistAU-2, CM-8(3), IA-3
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000141-CTR-000315, CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030
    Description
    To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), AuditBackend option in /etc/usbguard/usbguard-daemon.conf needs to be set to LinuxAudit.
    Rationale
    Using the Linux Audit logging allows for centralized trace of events.
    Authorize Human Interface Devices and USB hubs in USBGuard daemonxccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub mediumCCE-82539-8

    Authorize Human Interface Devices and USB hubs in USBGuard daemon

    Rule IDxccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-usbguard_allow_hid_and_hub:def:1
    Time2025-10-23T19:36:48+00:00
    Severitymedium
    Identifiers:

    CCE-82539-8

    References:
    nistCM-8(3), IA-3
    osppFMT_SMF_EXT.1
    os-srgSRG-OS-000114-GPOS-00059
    app-srg-ctrSRG-APP-000092-CTR-000165, CNTR-OS-001010, CNTR-OS-001020, CNTR-OS-001030
    Description
    To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line allow with-interface match-all { 03:*:* 09:00:* } to /etc/usbguard/rules.conf.
    Rationale
    Without allowing Human Interface Devices, it might not be possible to interact with the system. Without allowing hubs, it might not be possible to use any USB devices on the system.
    Warnings
    warning  This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      annotations:
        complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %0Aallow%20with-interface%20match-all%20%7B%2003%3A%2A%3A%2A%2009%3A00%3A%2A%20%7D }}
            mode: 0600
            path: /etc/usbguard/rules.d/75-hid-and-hub.conf
            overwrite: true
    
    OVAL test results details

    Check the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non whitespace character and exists  oval:ssg-test_usbguard_rules_nonempty:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-obj_usbguard_rules_nonempty:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/usbguard/(rules|rules\.d/.*)\.conf$^.*\S+.*$1
    Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-82556-2

    Record Events that Modify the System's Discretionary Access Controls - chmod

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_chmod:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82556-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-chmod_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit chmod  oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit chmod  oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit chmod  oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit chmod  oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-82557-0

    Record Events that Modify the System's Discretionary Access Controls - chown

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_chown:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82557-0

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-chown_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit chown  oval:ssg-test_32bit_ardm_chown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_chown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit chown  oval:ssg-test_64bit_ardm_chown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_chown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit chown  oval:ssg-test_32bit_ardm_chown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit chown  oval:ssg-test_64bit_ardm_chown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod mediumCCE-82558-8

    Record Events that Modify the System's Discretionary Access Controls - fchmod

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchmod:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82558-8

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fchmod_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit fchmod  oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit fchmod  oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit fchmod  oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit fchmod  oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat mediumCCE-82559-6

    Record Events that Modify the System's Discretionary Access Controls - fchmodat

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchmodat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82559-6

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmodat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmodat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fchmodat_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit fchmodat  oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit fchmodat  oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit fchmodat  oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit fchmodat  oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown mediumCCE-82560-4

    Record Events that Modify the System's Discretionary Access Controls - fchown

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchown:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82560-4

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fchown_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit fchown  oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit fchown  oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit fchown  oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit fchown  oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat mediumCCE-82561-2

    Record Events that Modify the System's Discretionary Access Controls - fchownat

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchownat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82561-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchownat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchownat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fchownat_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit fchownat  oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit fchownat  oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit fchownat  oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit fchownat  oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-82562-0

    Record Events that Modify the System's Discretionary Access Controls - fremovexattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_fremovexattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82562-0

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000950
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root.

    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fremovexattr_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr mediumCCE-82563-8

    Record Events that Modify the System's Discretionary Access Controls - fsetxattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_fsetxattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82563-8

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000960
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fsetxattr_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown mediumCCE-82564-6

    Record Events that Modify the System's Discretionary Access Controls - lchown

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_lchown:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82564-6

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000950
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-lchown_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit lchown  oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit lchown  oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit lchown  oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit lchown  oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-82565-3

    Record Events that Modify the System's Discretionary Access Controls - lremovexattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_lremovexattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82565-3

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000950, CNTR-OS-000960
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root.

    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-lremovexattr_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr mediumCCE-82566-1

    Record Events that Modify the System's Discretionary Access Controls - lsetxattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_lsetxattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82566-1

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000960
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-lsetxattr_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-82567-9

    Record Events that Modify the System's Discretionary Access Controls - removexattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_removexattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82567-9

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000160, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000950, CNTR-OS-000960
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root.

    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod


    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20removexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20removexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-removexattr_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr mediumCCE-82568-7

    Record Events that Modify the System's Discretionary Access Controls - setxattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_dac_modification_setxattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82568-7

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203
    app-srg-ctrSRG-APP-000091-CTR-000160, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000500-CTR-001260, SRG-APP-000507-CTR-001295, SRG-APP-000495-CTR-001235, CNTR-OS-000160, CNTR-OS-000930
    anssiR73
    pcidss410.3.4, 10.3
    Description
    At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
    Rationale
    The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20setxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20setxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
            mode: 0644
            path: /etc/audit/rules.d/75-setxattr_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-82569-5

    Record Any Attempts to Run chcon

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_execution_chcon:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82569-5

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000960
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/chcon%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/chcon%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_chcon_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules chcon  oval:ssg-test_audit_rules_execution_chcon_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_chcon_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules chcon  oval:ssg-test_audit_rules_execution_chcon_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_chcon_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl chcon  oval:ssg-test_audit_rules_execution_chcon_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_chcon_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl chcon  oval:ssg-test_audit_rules_execution_chcon_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_chcon_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Any Attempts to Run restoreconxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon mediumCCE-82570-3

    Record Any Attempts to Run restorecon

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_execution_restorecon:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82570-3

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/restorecon%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/restorecon%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_restorecon_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules restorecon  oval:ssg-test_audit_rules_execution_restorecon_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_restorecon_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules restorecon  oval:ssg-test_audit_rules_execution_restorecon_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_restorecon_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl restorecon  oval:ssg-test_audit_rules_execution_restorecon_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_restorecon_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl restorecon  oval:ssg-test_audit_rules_execution_restorecon_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_restorecon_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-82571-1

    Record Any Attempts to Run semanage

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_execution_semanage:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82571-1

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, CNTR-OS-000930, CNTR-OS-000940
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/semanage%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/semanage%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_semanage_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules semanage  oval:ssg-test_audit_rules_execution_semanage_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_semanage_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules semanage  oval:ssg-test_audit_rules_execution_semanage_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_semanage_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl semanage  oval:ssg-test_audit_rules_execution_semanage_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_semanage_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl semanage  oval:ssg-test_audit_rules_execution_semanage_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_semanage_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles mediumCCE-82572-9

    Record Any Attempts to Run setfiles

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_execution_setfiles:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82572-9

    References:
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, CNTR-OS-000930, CNTR-OS-000940
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/setfiles%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/setfiles%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_setfiles_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules setfiles  oval:ssg-test_audit_rules_execution_setfiles_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_setfiles_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules setfiles  oval:ssg-test_audit_rules_execution_setfiles_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_setfiles_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl setfiles  oval:ssg-test_audit_rules_execution_setfiles_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_setfiles_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl setfiles  oval:ssg-test_audit_rules_execution_setfiles_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_setfiles_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-82573-7

    Record Any Attempts to Run setsebool

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_execution_setsebool:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82573-7

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, CNTR-OS-000930, CNTR-OS-000940
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/setsebool%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/setsebool%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_setsebool_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules setsebool  oval:ssg-test_audit_rules_execution_setsebool_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_setsebool_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules setsebool  oval:ssg-test_audit_rules_execution_setsebool_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_setsebool_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl setsebool  oval:ssg-test_audit_rules_execution_setsebool_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_setsebool_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl setsebool  oval:ssg-test_audit_rules_execution_setsebool_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_setsebool_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Any Attempts to Run seunsharexccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare mediumCCE-82574-5

    Record Any Attempts to Run seunshare

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_execution_seunshare:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82574-5

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/seunshare%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/seunshare%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_seunshare_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules seunshare  oval:ssg-test_audit_rules_execution_seunshare_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_seunshare_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules seunshare  oval:ssg-test_audit_rules_execution_seunshare_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_seunshare_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl seunshare  oval:ssg-test_audit_rules_execution_seunshare_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_seunshare_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl seunshare  oval:ssg-test_audit_rules_execution_seunshare_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_execution_seunshare_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-82575-2

    Ensure auditd Collects File Deletion Events by User - rename

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_rename:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82575-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.7
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960
    anssiR73
    pcidss410.2.1.7, 10.2.1, 10.2
    Description
    At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
    Rationale
    Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rename%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rename%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
            mode: 0644
            path: /etc/audit/rules.d/75-rename-file-deletion-events.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit rename  oval:ssg-test_32bit_ardm_rename_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_rename_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit rename  oval:ssg-test_64bit_ardm_rename_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_rename_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit rename  oval:ssg-test_32bit_ardm_rename_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit rename  oval:ssg-test_64bit_ardm_rename_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-82576-0

    Ensure auditd Collects File Deletion Events by User - renameat

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_renameat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82576-0

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.7
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960
    anssiR73
    pcidss410.2.1.7, 10.2.1, 10.2
    Description
    At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
    Rationale
    Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20renameat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20renameat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
            mode: 0644
            path: /etc/audit/rules.d/75-renameat-file-deletion-events.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit renameat  oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit renameat  oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit renameat  oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit renameat  oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects File Deletion Events by User - rmdirxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir mediumCCE-82577-8

    Ensure auditd Collects File Deletion Events by User - rmdir

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_rmdir:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82577-8

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.7
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960
    anssiR73
    pcidss410.2.1.7, 10.2.1, 10.2
    Description
    At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
    Rationale
    Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rmdir%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rmdir%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
            mode: 0644
            path: /etc/audit/rules.d/75-rmdir-file-deletion-events.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit rmdir  oval:ssg-test_32bit_ardm_rmdir_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit rmdir  oval:ssg-test_64bit_ardm_rmdir_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit rmdir  oval:ssg-test_32bit_ardm_rmdir_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit rmdir  oval:ssg-test_64bit_ardm_rmdir_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-82579-4

    Ensure auditd Collects File Deletion Events by User - unlinkat

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_unlinkat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82579-4

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.7
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000960
    anssiR73
    pcidss410.2.1.7, 10.2.1, 10.2
    Description
    At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
    Rationale
    Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlinkat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlinkat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
            mode: 0644
            path: /etc/audit/rules.d/75-unlinkat-file-deletion-events.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit unlinkat  oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit unlinkat  oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit unlinkat  oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit unlinkat  oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Unsuccessful Permission Changes to Files - chmodxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod mediumCCE-82619-8

    Record Unsuccessful Permission Changes to Files - chmod

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_chmod:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82619-8

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-chmod_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_chmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_chmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_chmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_chmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_chmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_chmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_chmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_chmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_chmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_chmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_chmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_chmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_chmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_chmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_chmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_chmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1
    Record Unsuccessful Ownership Changes to Files - chownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown mediumCCE-82620-6

    Record Unsuccessful Ownership Changes to Files - chown

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_chown:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82620-6

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-chown_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_chown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_chown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_chown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_chown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_chown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_chown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_chown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_chown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_chown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_chown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_chown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_chown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_chown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_chown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_chown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_chown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1
    Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-82621-4

    Record Unsuccessful Access Attempts to Files - creat

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82621-4

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
    app-srg-ctrSRG-APP-000495-CTR-001235
    anssiR73
    Description
    At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    /etc/audit/audit.rules1
    Record Unsuccessful Permission Changes to Files - fchmodxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod mediumCCE-82622-2

    Record Unsuccessful Permission Changes to Files - fchmod

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_fchmod:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82622-2

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fchmod_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fchmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fchmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fchmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fchmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fchmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fchmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fchmod_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fchmod_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fchmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fchmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fchmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fchmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fchmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fchmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fchmod_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fchmod_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Permission Changes to Files - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat mediumCCE-82624-8

    Record Unsuccessful Permission Changes to Files - fchmodat

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_fchmodat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82624-8

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmodat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmodat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmodat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmodat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fchmodat_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fchmodat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fchmodat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fchmodat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fchmodat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fchmodat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fchmodat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fchmodat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fchmodat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fchmodat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fchmodat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fchmodat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fchmodat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fchmodat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fchmodat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fchmodat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fchmodat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Ownership Changes to Files - fchownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown mediumCCE-82625-5

    Record Unsuccessful Ownership Changes to Files - fchown

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_fchown:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82625-5

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fchown_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Ownership Changes to Files - fchownatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat mediumCCE-82626-3

    Record Unsuccessful Ownership Changes to Files - fchownat

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_fchownat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82626-3

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchownat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchownat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchownat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchownat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fchownat_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fchownat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fchownat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fchownat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fchownat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fchownat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fchownat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fchownat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fchownat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fchownat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fchownat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fchownat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fchownat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fchownat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fchownat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fchownat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fchownat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Permission Changes to Files - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr mediumCCE-82627-1

    Record Unsuccessful Permission Changes to Files - fremovexattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_fremovexattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82627-1

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fremovexattr_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Permission Changes to Files - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr mediumCCE-82628-9

    Record Unsuccessful Permission Changes to Files - fsetxattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_fsetxattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82628-9

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-fsetxattr_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_fsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_fsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_fsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_fsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-82629-7

    Record Unsuccessful Access Attempts to Files - ftruncate

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82629-7

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
    app-srg-ctrSRG-APP-000495-CTR-001235
    anssiR73
    Description
    At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Ownership Changes to Files - lchownxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown mediumCCE-82630-5

    Record Unsuccessful Ownership Changes to Files - lchown

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_lchown:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82630-5

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file ownership change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-lchown_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_lchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_lchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_lchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_lchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_lchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_lchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_lchown_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_lchown_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_lchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_lchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_lchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_lchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_lchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_lchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_lchown_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_lchown_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Permission Changes to Files - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr mediumCCE-82631-3

    Record Unsuccessful Permission Changes to Files - lremovexattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_lremovexattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82631-3

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-lremovexattr_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_lremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_lremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_lremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_lremovexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_lremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_lremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_lremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_lremovexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Permission Changes to Files - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr mediumCCE-82632-1

    Record Unsuccessful Permission Changes to Files - lsetxattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_lsetxattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82632-1

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-lsetxattr_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_lsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_lsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_lsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_lsetxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_lsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_lsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_lsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_lsetxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-82633-9

    Record Unsuccessful Access Attempts to Files - open

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82633-9

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
    app-srg-ctrSRG-APP-000495-CTR-001235
    anssiR73
    Description
    At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Access Attempts to Files - open_by_handle_atxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at mediumCCE-82640-4

    Record Unsuccessful Access Attempts to Files - open_by_handle_at

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82640-4

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
    app-srg-ctrSRG-APP-000495-CTR-001235
    Description
    At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat mediumCCE-82641-2

    Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82641-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172
    Description
    The audit system should collect unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1
    Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write mediumCCE-82642-0

    Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82642-0

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172
    Description
    The audit system should collect detailed unauthorized file accesses for all users and root. The open_by_handle_at syscall can be used to modify files if called for write operation of with O_TRUNC_WRITE flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open_by_handle_at syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1
    Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order mediumCCE-82643-8

    Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82643-8

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172
    Description
    The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    
    Rationale
    The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule.
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eacces_aug
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eperm_auge
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eacces_aug
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eperm_auge
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_e
    ^/etc/audit/rules\.d/.*\.rules$1

    Test order of audit 32bit auditctl eperm rules order  oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_e
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_open_by_handle_at_order_64bit_auditctl_eacces
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_auditctl_e
    ^/etc/audit/rules\.d/.*\.rules$1
    Record Unsuccessful Creation Attempts to Files - open O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat mediumCCE-82644-6

    Record Unsuccessful Creation Attempts to Files - open O_CREAT

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open_o_creat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82644-6

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172
    Description
    The audit system should collect unauthorized file accesses for all users and root. The open syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1
    Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write mediumCCE-82645-3

    Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82645-3

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172
    Description
    The audit system should collect detailed unauthorized file accesses for all users and root. The open syscall can be used to modify files if called for write operation of with O_TRUNC_WRITE flag. The following auidt rules will asure that unsuccessful attempts to modify a file via open syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1
    Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order mediumCCE-82646-1

    Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open_rule_order:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82646-1

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172
    Description
    The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via open syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of open syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    
    Rationale
    The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule.
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_arufm_open_order_32bit_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_order_32bit_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_eacces_augenrules_regex
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_order_32bit_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_order_32bit_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_eperm_augenrules_regex:
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_order_64bit_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_order_64bit_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_eacces_augenrules_regex
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_order_64bit_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_order_64bit_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_eperm_augenrules_regex:
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_arufm_open_order_32bit_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_order_32bit_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eacces_regex:v
    ^/etc/audit/rules\.d/.*\.rules$1

    Test order of audit 32bit auditctl eperm rules order  oval:ssg-test_arufm_open_order_32bit_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_order_32bit_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eperm_regex:va
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_open_order_64bit_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_order_64bit_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_open_order_64bit_auditctl_eacces_regex:var:1)
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_open_order_64bit_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_open_order_64bit_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_auditctl_eperm_regex:va
    ^/etc/audit/rules\.d/.*\.rules$1
    Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-82634-7

    Record Unsuccessful Access Attempts to Files - openat

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82634-7

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
    app-srg-ctrSRG-APP-000495-CTR-001235
    anssiR73
    Description
    At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Creation Attempts to Files - openat O_CREATxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat mediumCCE-82635-4

    Record Unsuccessful Creation Attempts to Files - openat O_CREAT

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82635-4

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172
    Description
    The audit system should collect unauthorized file accesses for all users and root. The openat syscall can be used to create new files when O_CREAT flag is specified. The following auidt rules will asure that unsuccessful attempts to create a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1
    Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITExccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write mediumCCE-82636-2

    Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82636-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172
    Description
    The audit system should collect detailed unauthorized file accesses for all users and root. The openat syscall can be used to modify files if called for write operation of with O_TRUNC_WRITE flag. The following auidt rules will asure that unsuccessful attempts to modify a file via openat syscall are collected. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rules below to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rules below to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1
    Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctlyxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order mediumCCE-82639-6

    Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82639-6

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172
    Description
    The audit system should collect detailed unauthorized file accesses for all users and root. To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access of files via openat syscall the audit rules collecting these events need to be in certain order. The more specific rules need to come before the less specific rules. The reason for that is that more specific rules cover a subset of events covered in the less specific rules, thus, they need to come before to not be overshadowed by less specific rules, which match a bigger set of events. Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, check the order of rules below in /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
    -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access
    
    Rationale
    The more specific rules cover a subset of events covered by the less specific rules. By ordering them from more specific to less specific, it is assured that the less specific rule will not catch events better recorded by the more specific rule.
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_arufm_openat_order_32bit_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_order_32bit_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_eacces_augenrules_reg
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_order_32bit_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_order_32bit_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_eperm_augenrules_rege
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_openat_order_64bit_eacces_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_order_64bit_eacces_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_eacces_augenrules_reg
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_order_64bit_eperm_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_order_64bit_eperm_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_eperm_augenrules_rege
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_order_32bit_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_order_32bit_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eacces_regex
    ^/etc/audit/rules\.d/.*\.rules$1

    Test order of audit 32bit auditctl eperm rules order  oval:ssg-test_arufm_openat_order_32bit_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_order_32bit_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eperm_regex:
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_arufm_openat_order_64bit_eacces_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_order_64bit_eacces_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_openat_order_64bit_auditctl_eacces_regex:var:
    ^/etc/audit/rules\.d/.*\.rules$1

    defined audit rule must exist  oval:ssg-test_arufm_openat_order_64bit_eperm_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arufm_openat_order_64bit_eperm_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_auditctl_eperm_regex:
    ^/etc/audit/rules\.d/.*\.rules$1
    Record Unsuccessful Permission Changes to Files - removexattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr mediumCCE-82647-9

    Record Unsuccessful Permission Changes to Files - removexattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_removexattr:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82647-9

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20removexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20removexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20removexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20removexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-removexattr_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_removexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_removexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_removexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_removexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_removexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_removexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_removexattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_removexattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_removexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_removexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_removexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_removexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_removexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_removexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_removexattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_removexattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Delete Attempts to Files - renamexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename mediumCCE-82648-7

    Record Unsuccessful Delete Attempts to Files - rename

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_rename:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82648-7

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212
    app-srg-ctrSRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
    Description
    The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    Rationale
    Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rename%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rename%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rename%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rename%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-rename_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_rename_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_rename_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_rename_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_rename_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_rename_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_rename_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_rename_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_rename_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_rename_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_rename_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_rename_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_rename_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_rename_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_rename_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_rename_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_rename_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Delete Attempts to Files - renameatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat mediumCCE-82649-5

    Record Unsuccessful Delete Attempts to Files - renameat

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_renameat:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82649-5

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212
    app-srg-ctrSRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
    Description
    The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    Rationale
    Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20renameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20renameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20renameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20renameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-renameat_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_renameat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_renameat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_renameat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_renameat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_renameat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_renameat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_renameat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_renameat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_renameat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_renameat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_renameat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_renameat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_renameat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_renameat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_renameat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_renameat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Permission Changes to Files - setxattrxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr mediumCCE-82650-3

    Record Unsuccessful Permission Changes to Files - setxattr

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_setxattr:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82650-3

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), CM-6(a)
    Description
    The audit system should collect unsuccessful file permission change attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
    Rationale
    Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the audit rule checks a system call independently of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20setxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20setxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20setxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20setxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-setxattr_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_setxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_setxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_setxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_setxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_setxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_setxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_setxattr_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_setxattr_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_setxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_setxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_setxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_setxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_setxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_setxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_setxattr_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_setxattr_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-82651-1

    Record Unsuccessful Access Attempts to Files - truncate

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82651-1

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205
    app-srg-ctrSRG-APP-000495-CTR-001235
    anssiR73
    Description
    At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
    -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
    Rationale
    Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
            mode: 0600
            path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Record Unsuccessful Delete Attempts to Files - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat mediumCCE-82653-7

    Record Unsuccessful Delete Attempts to Files - unlinkat

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_unlinkat:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82653-7

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.4, Req-10.2.1
    os-srgSRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000468-GPOS-00212
    app-srg-ctrSRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270
    Description
    The audit system should collect unsuccessful file deletion attempts for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file.
    -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    If the system is 64 bit then also add the following lines:
    -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
    Rationale
    Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlinkat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlinkat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlinkat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlinkat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
            mode: 0644
            path: /etc/audit/rules.d/75-unlinkat_audit_rules_unsuccessful_file_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_unlinkat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_unlinkat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_unlinkat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_unlinkat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_unlinkat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_unlinkat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_unlinkat_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_unlinkat_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_unlinkat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eacces_unlinkat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_unlinkat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_arufm_eperm_unlinkat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_unlinkat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eacces_unlinkat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1

    audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_unlinkat_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_arufm_eperm_unlinkat_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$
    /etc/audit/audit.rules1
    Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-82580-2

    Ensure auditd Collects Information on Kernel Module Unloading - delete_module

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_delete:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82580-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.7
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, CNTR-OS-000930, CNTR-OS-000980
    anssiR73
    Description
    To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S delete_module -F key=modules
    Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
    Rationale
    The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
            mode: 0600
            path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit delete_module  oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit delete_module  oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit delete_module  oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit delete_module  oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit mediumCCE-82581-0

    Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_finit:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82581-0

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.7
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, CNTR-OS-000930, CNTR-OS-000980
    anssiR73
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
    -a always,exit -F arch=ARCH -S finit_module -F key=modules
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
    -a always,exit -F arch=ARCH -S finit_module -F key=modules
    Rationale
    The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A
            mode: 0600
            path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit finit_module  oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_finit_module_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit finit_module  oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_finit_module_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit finit_module  oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_finit_module_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit finit_module  oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_finit_module_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-82582-8

    Ensure auditd Collects Information on Kernel Module Loading - init_module

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_init:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82582-8

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.7
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000504-CTR-001280, CNTR-OS-000930, CNTR-OS-000980
    anssiR73
    Description
    To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S init_module -F key=modules
    Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
    Rationale
    The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
            mode: 0600
            path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit init_module  oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit init_module  oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit init_module  oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit init_module  oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - atxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at mediumCCE-82590-1

    Ensure auditd Collects Information on the Use of Privileged Commands - at

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_at:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82590-1

    References:
    disaCCI-000172
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/at%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/at%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_at_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules at  oval:ssg-test_audit_rules_privileged_commands_at_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_at_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules at  oval:ssg-test_audit_rules_privileged_commands_at_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_at_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl at  oval:ssg-test_audit_rules_privileged_commands_at_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_at_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl at  oval:ssg-test_audit_rules_privileged_commands_at_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_at_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - chagexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage mediumCCE-82591-9

    Ensure auditd Collects Information on the Use of Privileged Commands - chage

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_chage:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82591-9

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000080, CNTR-OS-000930, CNTR-OS-000960
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/chage%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/chage%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_chage_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules chage  oval:ssg-test_audit_rules_privileged_commands_chage_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_chage_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules chage  oval:ssg-test_audit_rules_privileged_commands_chage_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_chage_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl chage  oval:ssg-test_audit_rules_privileged_commands_chage_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_chage_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl chage  oval:ssg-test_audit_rules_privileged_commands_chage_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_chage_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - chshxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh mediumCCE-82592-7

    Ensure auditd Collects Information on the Use of Privileged Commands - chsh

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_chsh:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82592-7

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000495-CTR-001235, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/chsh%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/chsh%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_chsh_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules chsh  oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules chsh  oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl chsh  oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl chsh  oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - crontabxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab mediumCCE-82593-5

    Ensure auditd Collects Information on the Use of Privileged Commands - crontab

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_crontab:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82593-5

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000495-CTR-001235, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/crontab%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/crontab%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_crontab_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules crontab  oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules crontab  oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl crontab  oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl crontab  oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - gpasswdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd mediumCCE-82594-3

    Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_gpasswd:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82594-3

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/gpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/gpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_gpasswd_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules gpasswd  oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules gpasswd  oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl gpasswd  oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl gpasswd  oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - mountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount mediumCCE-82595-0

    Ensure auditd Collects Information on the Use of Privileged Commands - mount

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_mount:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82595-0

    References:
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000029-CTR-000085, CNTR-OS-000080
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_mount_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules mount  oval:ssg-test_audit_rules_privileged_commands_mount_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_mount_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules mount  oval:ssg-test_audit_rules_privileged_commands_mount_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_mount_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl mount  oval:ssg-test_audit_rules_privileged_commands_mount_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_mount_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl mount  oval:ssg-test_audit_rules_privileged_commands_mount_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_mount_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - newgidmapxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap mediumCCE-82596-8

    Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_newgidmap:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82596-8

    References:
    disaCCI-000172
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/newgidmap%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/newgidmap%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_newgidmap_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules newgidmap  oval:ssg-test_audit_rules_privileged_commands_newgidmap_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules newgidmap  oval:ssg-test_audit_rules_privileged_commands_newgidmap_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl newgidmap  oval:ssg-test_audit_rules_privileged_commands_newgidmap_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl newgidmap  oval:ssg-test_audit_rules_privileged_commands_newgidmap_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newgidmap_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - newgrpxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp mediumCCE-82597-6

    Ensure auditd Collects Information on the Use of Privileged Commands - newgrp

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_newgrp:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82597-6

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/newgrp%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/newgrp%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_newgrp_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules newgrp  oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules newgrp  oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl newgrp  oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl newgrp  oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - newuidmapxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap mediumCCE-82598-4

    Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_newuidmap:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82598-4

    References:
    disaCCI-000172
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/newuidmap%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/newuidmap%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_newuidmap_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules newuidmap  oval:ssg-test_audit_rules_privileged_commands_newuidmap_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules newuidmap  oval:ssg-test_audit_rules_privileged_commands_newuidmap_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl newuidmap  oval:ssg-test_audit_rules_privileged_commands_newuidmap_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl newuidmap  oval:ssg-test_audit_rules_privileged_commands_newuidmap_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_newuidmap_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_checkxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check mediumCCE-82599-2

    Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82599-2

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/pam_timestamp_check -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/pam_timestamp_check%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/pam_timestamp_check%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_pam_timestamp_check_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules pam_timestamp_check  oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules pam_timestamp_check  oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl pam_timestamp_check  oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl pam_timestamp_check  oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - passwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd mediumCCE-82600-8

    Ensure auditd Collects Information on the Use of Privileged Commands - passwd

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_passwd:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82600-8

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_passwd_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules passwd  oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules passwd  oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl passwd  oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl passwd  oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - postdropxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop mediumCCE-82601-6

    Ensure auditd Collects Information on the Use of Privileged Commands - postdrop

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_postdrop:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82601-6

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000495-CTR-001235, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/postdrop -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/postdrop%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/postdrop%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_postdrop_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules postdrop  oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules postdrop  oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl postdrop  oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl postdrop  oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - postqueuexccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue mediumCCE-82602-4

    Ensure auditd Collects Information on the Use of Privileged Commands - postqueue

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_postqueue:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82602-4

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000495-CTR-001235, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/postqueue -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/postqueue%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/postqueue%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_postqueue_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules postqueue  oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules postqueue  oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl postqueue  oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl postqueue  oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - pt_chownxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown mediumCCE-82603-2

    Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_pt_chown:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82603-2

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000135, CCI-000172, CCI-002884
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000499-CTR-001255, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, CNTR-OS-000950, CNTR-OS-000960
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/libexec/pt_chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/libexec/pt_chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_libexec_pt_chown_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules pt_chown  oval:ssg-test_audit_rules_privileged_commands_pt_chown_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules pt_chown  oval:ssg-test_audit_rules_privileged_commands_pt_chown_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl pt_chown  oval:ssg-test_audit_rules_privileged_commands_pt_chown_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl pt_chown  oval:ssg-test_audit_rules_privileged_commands_pt_chown_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_pt_chown_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysignxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign mediumCCE-82604-0

    Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82604-0

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/libexec/openssh/ssh-keysign%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/libexec/openssh/ssh-keysign%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_libexec_openssh_ssh-keysign_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules ssh_keysign  oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules ssh_keysign  oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl ssh_keysign  oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl ssh_keysign  oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - suxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su mediumCCE-82605-7

    Ensure auditd Collects Information on the Use of Privileged Commands - su

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_su:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82605-7

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000755-GPOS-00220
    app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000080, CNTR-OS-000930, CNTR-OS-000950
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/su%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/su%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_su_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules su  oval:ssg-test_audit_rules_privileged_commands_su_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_su_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules su  oval:ssg-test_audit_rules_privileged_commands_su_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_su_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl su  oval:ssg-test_audit_rules_privileged_commands_su_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_su_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl su  oval:ssg-test_audit_rules_privileged_commands_su_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_su_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - sudoxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo mediumCCE-82606-5

    Ensure auditd Collects Information on the Use of Privileged Commands - sudo

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_sudo:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82606-5

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000755-GPOS-00220
    app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, CNTR-OS-000080, CNTR-OS-000930, CNTR-OS-000950
    anssiR33
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/sudo%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/sudo%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_sudo_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules sudo  oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules sudo  oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl sudo  oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl sudo  oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - sudoeditxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit mediumCCE-82607-3

    Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_sudoedit:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82607-3

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220
    app-srg-ctrSRG-APP-000495-CTR-001235, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/sudoedit%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/sudoedit%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_sudoedit_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules sudoedit  oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules sudoedit  oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl sudoedit  oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl sudoedit  oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - umountxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount mediumCCE-82608-1

    Ensure auditd Collects Information on the Use of Privileged Commands - umount

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_umount:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82608-1

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000029-CTR-000085, CNTR-OS-000080
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/bin/umount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/bin/umount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_bin_umount_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules umount  oval:ssg-test_audit_rules_privileged_commands_umount_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_umount_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules umount  oval:ssg-test_audit_rules_privileged_commands_umount_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_umount_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl umount  oval:ssg-test_audit_rules_privileged_commands_umount_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_umount_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl umount  oval:ssg-test_audit_rules_privileged_commands_umount_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_umount_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwdxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd mediumCCE-82609-9

    Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82609-9

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5
    nistAC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000029-CTR-000085, SRG-APP-000495-CTR-001235, CNTR-OS-000080, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/unix_chkpwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/unix_chkpwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_unix_chkpwd_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules unix_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules unix_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl unix_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl unix_chkpwd  oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - userhelperxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper mediumCCE-82610-7

    Ensure auditd Collects Information on the Use of Privileged Commands - userhelper

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_userhelper:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82610-7

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000172, CCI-000130, CCI-000135, CCI-000169, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000495-CTR-001235, CNTR-OS-000930
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/userhelper%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/userhelper%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_userhelper_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules userhelper  oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules userhelper  oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl userhelper  oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl userhelper  oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Ensure auditd Collects Information on the Use of Privileged Commands - usernetctlxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl mediumCCE-82611-5

    Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_privileged_commands_usernetctl:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82611-5

    References:
    disaCCI-000172
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged
    Rationale
    Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

    Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20path%3D/usr/sbin/usernetctl%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-F%20path%3D/usr/sbin/usernetctl%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
            mode: 0644
            path: /etc/audit/rules.d/75-usr_sbin_usernetctl_execution.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules usernetctl  oval:ssg-test_audit_rules_privileged_commands_usernetctl_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules usernetctl  oval:ssg-test_audit_rules_privileged_commands_usernetctl_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl usernetctl  oval:ssg-test_audit_rules_privileged_commands_usernetctl_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl usernetctl  oval:ssg-test_audit_rules_privileged_commands_usernetctl_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_privileged_commands_usernetctl_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex mediumCCE-82614-9

    Record attempts to alter time through adjtimex

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_time_adjtimex:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82614-9

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-001487, CCI-000169
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.4.2.b
    anssiR73
    pcidss410.6.3, 10.6
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
    The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
    -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
    Rationale
    Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
            mode: 0600
            path: /etc/audit/rules.d/75-syscall-adjtimex.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit adjtimex  oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit adjtimex  oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit adjtimex  oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit adjtimex  oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime mediumCCE-82615-6

    Record Attempts to Alter Time Through clock_settime

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_time_clock_settime:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82615-6

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-001487, CCI-000169
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.4.2.b
    anssiR73
    pcidss410.6.3, 10.6
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
    The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
    -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
    Rationale
    Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
            mode: 0600
            path: /etc/audit/rules.d/75-syscall-clock-settime.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit clock_settime  oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit clock_settime  oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit clock_settime  oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit clock_settime  oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$1
    Record attempts to alter time through settimeofdayxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday mediumCCE-82616-4

    Record attempts to alter time through settimeofday

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_time_settimeofday:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82616-4

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-001487, CCI-000169
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.4.2.b
    pcidss410.6.3, 10.6
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
    The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
    -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
    Rationale
    Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
            mode: 0600
            path: /etc/audit/rules.d/75-syscall-settimeofday.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit settimeofday  oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit settimeofday  oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit settimeofday  oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit settimeofday  oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime mediumCCE-82617-2

    Record Attempts to Alter Time Through stime

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_stime
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_time_stime:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82617-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-001487, CCI-000169
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.4.2.b
    anssiR73
    pcidss410.6.3, 10.6
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
    -a always,exit -F arch=b32 -S stime -F key=audit_time_rules
    Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems:
    -a always,exit -F arch=b32 -S stime -F key=audit_time_rules
    Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls:
    -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
    Rationale
    Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20stime%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20stime%20-k%20audit_time_rules%0A }}
            mode: 0600
            path: /etc/audit/rules.d/75-syscall-stime.rules
            overwrite: true
    
    OVAL test results details

    32 bit architecture  oval:ssg-test_system_info_architecture_x86:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit stime  oval:ssg-test_32bit_art_stime_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_art_stime_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit stime  oval:ssg-test_32bit_art_stime_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_art_stime_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime mediumCCE-82618-0

    Record Attempts to Alter the localtime File

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_time_watch_localtime:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82618-0

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-001487, CCI-000169
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.4.2.b
    anssiR73
    pcidss410.6.3, 10.6
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -w /etc/localtime -p wa -k audit_time_rules
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:
    -w /etc/localtime -p wa -k audit_time_rules
    Rationale
    Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
    
              source: data:,-w%20/etc/localtime%20-p%20wa%20-k%20audit_time_rules%0A
    
            mode: 0644
            path: /etc/audit/rules.d/75-audit_rules_time_watch_localtime.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules localtime  oval:ssg-test_audit_rules_time_watch_localtime_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_time_watch_localtime_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/localtime[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl localtime  oval:ssg-test_audit_rules_time_watch_localtime_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_time_watch_localtime_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/localtime[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via open syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_open mediumCCE-82700-6

    Record Events that Modify User/Group Information via open syscall - /etc/group

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_group_open:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82700-6

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/group file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
    Rationale
    Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_group_open_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_open_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_open_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_open_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_open_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_open_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_open_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_open_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_open_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at mediumCCE-82702-2

    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_group_open_by_handle_at:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82702-2

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/group file for all group and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
    Rationale
    Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_group_open_by_handle_at_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_open_by_handle_at_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_open_by_handle_at_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_open_by_handle_at_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_open_by_handle_at_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_open_by_handle_at_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via openat syscall - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat mediumCCE-82701-4

    Record Events that Modify User/Group Information via openat syscall - /etc/group

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_group_openat:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82701-4

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/group file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify
    Rationale
    Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_group_openat_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_openat_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_openat_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_openat_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_openat_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_openat_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_openat_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_group_openat_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_group_openat_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via open syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open mediumCCE-82703-0

    Record Events that Modify User/Group Information via open syscall - /etc/gshadow

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_gshadow_open:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82703-0

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/gshadow file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
    Rationale
    Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_gshadow_open_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_open_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_open_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_open_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_open_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_open_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_open_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_open_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_open_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at mediumCCE-82705-5

    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_gshadow_open_by_handle_at:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82705-5

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/gshadow file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
    Rationale
    Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_gshadow_open_by_handle_at_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via openat syscall - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat mediumCCE-82704-8

    Record Events that Modify User/Group Information via openat syscall - /etc/gshadow

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_gshadow_openat:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82704-8

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/gshadow file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify
    Rationale
    Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_gshadow_openat_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_openat_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_openat_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_openat_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_openat_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_openat_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_openat_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_gshadow_openat_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_gshadow_openat_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via open syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open mediumCCE-82706-3

    Record Events that Modify User/Group Information via open syscall - /etc/passwd

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_passwd_open:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82706-3

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/passwd file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
    Rationale
    Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_passwd_open_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_open_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_open_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_open_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_open_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_open_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_open_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_open_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_open_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at mediumCCE-82708-9

    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_passwd_open_by_handle_at:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82708-9

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/passwd file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
    Rationale
    Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_passwd_open_by_handle_at_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via openat syscall - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat mediumCCE-82707-1

    Record Events that Modify User/Group Information via openat syscall - /etc/passwd

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_passwd_openat:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82707-1

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/passwd file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify
    Rationale
    Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_passwd_openat_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_openat_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_openat_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_openat_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_openat_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_openat_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_openat_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_passwd_openat_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_passwd_openat_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via open syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open mediumCCE-82709-7

    Record Events that Modify User/Group Information via open syscall - /etc/shadow

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_shadow_open:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82709-7

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/shadow file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
    Rationale
    Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_shadow_open_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_open_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_open_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_open_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_open_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_open_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_open_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_open_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_open_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at mediumCCE-82711-3

    Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_shadow_open_by_handle_at:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82711-3

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/shadow file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
    Rationale
    Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_shadow_open_by_handle_at_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information via openat syscall - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat mediumCCE-82710-5

    Record Events that Modify User/Group Information via openat syscall - /etc/shadow

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_etc_shadow_openat:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82710-5

    References:
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    Description
    The audit system should collect write events to /etc/shadow file for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
    -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
    If the system is 64 bit then also add the following line:
    -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
    Rationale
    Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
    Warnings
    warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping system calls related to the same event is more efficient. See the following example:
    -a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
            mode: 0644
            path: /etc/audit/rules.d/75-etc_shadow_openat_path_syscall.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_openat_32bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_openat_32bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_openat_64bit_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_openat_64bit_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_openat_32bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_openat_32bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    defined audit rule must exist  oval:ssg-test_audit_rules_tc_shadow_openat_64bit_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_tc_shadow_openat_64bit_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$/etc/audit/audit.rules1
    Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable mediumCCE-82668-5

    Make the auditd Configuration Immutable

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_immutable
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_immutable:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82668-5

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
    cjis5.4.1.1
    cobit5APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.3.1, 3.4.3
    disaCCI-000163, CCI-000164, CCI-000162
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nistAC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
    pcidssReq-10.5.2
    os-srgSRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
    app-srg-ctrSRG-APP-000119-CTR-000245, SRG-APP-000120-CTR-000250, CNTR-OS-000310
    anssiR73
    pcidss410.3.2, 10.3
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable:
    -e 2
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable:
    -e 2
    With this setting, a reboot will be required to change any audit rules.
    Rationale
    Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-e%202%0A
            mode: 0600
            path: /etc/audit/rules.d/90-immutable.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules configuration locked  oval:ssg-test_ari_locked_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_ari_locked_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^\-e\s+2\s*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl configuration locked  oval:ssg-test_ari_locked_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_ari_locked_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^\-e\s+2\s*$1
    Record Events that Modify the System's Mandatory Access Controlsxccdf_org.ssgproject.content_rule_audit_rules_mac_modification mediumCCE-82586-9

    Record Events that Modify the System's Mandatory Access Controls

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_mac_modification
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_mac_modification:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82586-9

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.8
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    anssiR73
    pcidss410.3.4, 10.3
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
    -w /etc/selinux/ -p wa -k MAC-policy
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
    -w /etc/selinux/ -p wa -k MAC-policy
    Rationale
    The system's mandatory access policy (SELinux or Apparmor) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ -w%20/etc/selinux/%20-p%20wa%20-k%20MAC-policy%0A }}
            mode: 0600
            path: /etc/audit/rules.d/75-etcselinux-wa-MAC-policy.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit selinux changes augenrules  oval:ssg-test_armm_selinux_watch_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_armm_selinux_watch_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit selinux changes auditctl  oval:ssg-test_armm_selinux_watch_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_armm_selinux_watch_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1
    Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-82587-7

    Ensure auditd Collects Information on Exporting to Media (successful)

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_media_export
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_media_export:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82587-7

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.7
    os-srgSRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
    app-srg-ctrSRG-APP-000495-CTR-001235, CNTR-OS-000930
    anssiR73
    pcidss410.2.1.7, 10.2.1, 10.2
    Description
    At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
    Rationale
    The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dexport%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dexport%0A
            mode: 0644
            path: /etc/audit/rules.d/75-mount_dac_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit mount  oval:ssg-test_32bit_ardm_mount_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_mount_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit mount  oval:ssg-test_64bit_ardm_mount_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_mount_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit mount  oval:ssg-test_32bit_ardm_mount_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_mount_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit mount  oval:ssg-test_64bit_ardm_mount_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_mount_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification mediumCCE-82588-5

    Record Events that Modify the System's Network Environment

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_networkconfig_modification:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82588-5

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.5.5
    anssiR73
    pcidss410.3.4, 10.3
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
    -w /etc/issue -p wa -k audit_rules_networkconfig_modification
    -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
    -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
    
    -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
    -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
    -w /etc/issue -p wa -k audit_rules_networkconfig_modification
    -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
    -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
    -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
    Rationale
    The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.

    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20sethostname%2Csetdomainname%20-F%20key%3Daudit_rules_networkconfig_modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20sethostname%2Csetdomainname%20-F%20key%3Daudit_rules_networkconfig_modification%0A-w%20/etc/issue%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A-w%20/etc/issue.net%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A-w%20/etc/hosts%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A-w%20/etc/sysconfig/network%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A
            mode: 0644
            path: /etc/audit/rules.d/75-audit_rules_networkconfig_modification.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit /etc/issue augenrules  oval:ssg-test_arnm_etc_issue_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arnm_etc_issue_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

    audit /etc/issue.net augenrules  oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

    audit /etc/hosts augenrules  oval:ssg-test_arnm_etc_hosts_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arnm_etc_hosts_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

    audit /etc/sysconfig/network augenrules  oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit /etc/issue auditctl  oval:ssg-test_arnm_etc_issue_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arnm_etc_issue_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

    audit /etc/issue.net auditctl  oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

    audit /etc/hosts auditctl  oval:ssg-test_arnm_etc_hosts_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arnm_etc_hosts_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

    audit /etc/sysconfig/network auditctl  oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$1

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events mediumCCE-82612-3

    Record Attempts to Alter Process and Session Initiation Information

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_session_events
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_session_events:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82612-3

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    ism0582, 0584, 05885, 0586, 0846, 0957
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nistAU-2(d), AU-12(c), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.3
    app-srg-ctrSRG-APP-000505-CTR-001285, CNTR-OS-000990
    anssiR73
    pcidss410.2.1.3, 10.2.1, 10.2
    Description
    The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:
    -w /var/run/utmp -p wa -k session
    -w /var/log/btmp -p wa -k session
    -w /var/log/wtmp -p wa -k session
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:
    -w /var/run/utmp -p wa -k session
    -w /var/log/btmp -p wa -k session
    -w /var/log/wtmp -p wa -k session
    Rationale
    Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %0A-w%20/var/run/utmp%20-p%20wa%20-k%20session%0A-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A-w%20/var/log/wtmp%20-p%20wa%20-k%20session%0A }}
            mode: 0600
            path: /etc/audit/rules.d/75-audit-session-events.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules utmp  oval:ssg-test_arse_utmp_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arse_utmp_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$1

    audit augenrules btmp  oval:ssg-test_arse_btmp_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arse_btmp_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$1

    audit augenrules wtmp  oval:ssg-test_arse_wtmp_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arse_wtmp_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl utmp  oval:ssg-test_arse_utmp_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arse_utmp_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$1

    audit auditctl btmp  oval:ssg-test_arse_btmp_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arse_btmp_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$1

    audit auditctl wtmp  oval:ssg-test_arse_wtmp_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_arse_wtmp_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$1
    Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions mediumCCE-82613-1

    Ensure auditd Collects System Administrator Actions

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_sysadmin_actions:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82613-1

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nistAC-2(7)(b), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.2, Req-10.2.5.b
    os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
    app-srg-ctrSRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000291-CTR-000675, SRG-APP-000292-CTR-000680, SRG-APP-000293-CTR-000685, SRG-APP-000294-CTR-000690, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000509-CTR-001305, CNTR-OS-000050, CNTR-OS-000060, CNTR-OS-000070
    anssiR73
    pcidss410.2.1.5, 10.2.1, 10.2
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -w /etc/sudoers -p wa -k actions
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:
    -w /etc/sudoers -p wa -k actions
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -w /etc/sudoers.d/ -p wa -k actions
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:
    -w /etc/sudoers.d/ -p wa -k actions
    Rationale
    The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ -w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A }}
            mode: 0600
            path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules sudoers  oval:ssg-test_audit_rules_sudoers_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_sudoers_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl sudoers  oval:ssg-test_audit_rules_sudoers_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_sudoers_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$/etc/audit/audit.rules1

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules sudoers_d  oval:ssg-test_audit_rules_sudoers_d_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_sudoers_d_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/sudoers.d\/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl sudoers_d  oval:ssg-test_audit_rules_sudoers_d_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_sudoers_d_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/sudoers.d\/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-82654-5

    Record Events that Modify User/Group Information - /etc/group

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_group:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82654-5

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-001403, CCI-001404, CCI-001405, CCI-000172, CCI-000130, CCI-002130, CCI-000135, CCI-000169, CCI-002884, CCI-000018, CCI-000015
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.5
    os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970
    anssiR73
    pcidss410.2.1.5, 10.2.1, 10.2
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -w /etc/group -p wa -k audit_rules_usergroup_modification
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:
    -w /etc/group -p wa -k audit_rules_usergroup_modification
    Rationale
    In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
    
              source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
    
            mode: 0644
            path: /etc/audit/rules.d/75-audit_rules_usergroup_modification_group.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules group  oval:ssg-test_audit_rules_usergroup_modification_group_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_usergroup_modification_group_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl group  oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_usergroup_modification_group_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-82655-2

    Record Events that Modify User/Group Information - /etc/gshadow

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_gshadow:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82655-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-001403, CCI-001404, CCI-001405, CCI-000172, CCI-000130, CCI-002130, CCI-000135, CCI-000169, CCI-002884, CCI-000018, CCI-000015
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.5
    os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970
    anssiR73
    pcidss410.2.1.5, 10.2.1, 10.2
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:
    -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
    Rationale
    In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
    
              source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
    
            mode: 0644
            path: /etc/audit/rules.d/75-audit_rules_usergroup_modification_gshadow.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules gshadow  oval:ssg-test_audit_rules_usergroup_modification_gshadow_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl gshadow  oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-82656-0

    Record Events that Modify User/Group Information - /etc/security/opasswd

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_opasswd:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82656-0

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-001403, CCI-001404, CCI-001405, CCI-000172, CCI-000130, CCI-002130, CCI-000135, CCI-000169, CCI-002884, CCI-000018, CCI-000015
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.5
    os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000503-CTR-001275, CNTR-OS-000930, CNTR-OS-000940, CNTR-OS-000970
    anssiR73
    pcidss410.2.1.5, 10.2.1, 10.2
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:
    -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
    Rationale
    In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
    
              source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
    
            mode: 0644
            path: /etc/audit/rules.d/75-audit_rules_usergroup_modification_opasswd.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules opasswd  oval:ssg-test_audit_rules_usergroup_modification_opasswd_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl opasswd  oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-82657-8

    Record Events that Modify User/Group Information - /etc/passwd

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_passwd:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82657-8

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-001403, CCI-001404, CCI-001405, CCI-000172, CCI-000130, CCI-002130, CCI-000135, CCI-000169, CCI-002884, CCI-000018, CCI-000015
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.5
    os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970
    anssiR73
    pcidss410.2.1.5, 10.2.1, 10.2
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -w /etc/passwd -p wa -k audit_rules_usergroup_modification
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:
    -w /etc/passwd -p wa -k audit_rules_usergroup_modification
    Rationale
    In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
    
              source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification_passwd%0A
    
            mode: 0644
            path: /etc/audit/rules.d/75-audit_rules_usergroup_modification_passwd.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules passwd  oval:ssg-test_audit_rules_usergroup_modification_passwd_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_usergroup_modification_passwd_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl passwd  oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$/etc/audit/audit.rules1
    Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-82658-6

    Record Events that Modify User/Group Information - /etc/shadow

    Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_shadow:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82658-6

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.1.7
    disaCCI-001403, CCI-001404, CCI-001405, CCI-000172, CCI-000130, CCI-002130, CCI-000135, CCI-000169, CCI-002884, CCI-000018, CCI-000015
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5
    nerc-cipCIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3
    nistAC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.2.5
    os-srgSRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
    app-srg-ctrSRG-APP-000495-CTR-001235, SRG-APP-000499-CTR-001255, SRG-APP-000503-CTR-001275, CNTR-OS-000930, CNTR-OS-000950, CNTR-OS-000970
    anssiR73
    pcidss410.2.1.5, 10.2.1, 10.2
    Description
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
    -w /etc/shadow -p wa -k audit_rules_usergroup_modification
    If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules:
    -w /etc/shadow -p wa -k audit_rules_usergroup_modification
    Rationale
    In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
    
              source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
    
            mode: 0644
            path: /etc/audit/rules.d/75-audit_rules_usergroup_modification_shadow.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules shadow  oval:ssg-test_audit_rules_usergroup_modification_shadow_augenrules:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_usergroup_modification_shadow_augenrules:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$^/etc/audit/rules\.d/.*\.rules$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl shadow  oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_usergroup_modification_shadow_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$/etc/audit/audit.rules1
    Record Access Events to Audit Log Directoryxccdf_org.ssgproject.content_rule_directory_access_var_log_audit mediumCCE-82712-1

    Record Access Events to Audit Log Directory

    Rule IDxccdf_org.ssgproject.content_rule_directory_access_var_log_audit
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-directory_access_var_log_audit:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82712-1

    References:
    nistAU-2(d), AU-12(c), AC-6(9), CM-6(a)
    pcidss410.3.1, 10.3
    Description
    The audit system should collect access events to read audit log directory. The following audit rule will assure that access to audit log directory are collected. Set ARCH to either b32 for 32-bit system, or have two lines for both b32 and b64 in case your system is 64-bit.
    -a always,exit -F arch=ARCH -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
    If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the rule to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the rule to /etc/audit/audit.rules file.
    Rationale
    Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.'

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:disable
    ---
    #
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-F%20dir%3D/var/log/audit/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-F%20dir%3D/var/log/audit/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A }}
            mode: 0600
            path: /etc/audit/rules.d/30-access-var-log-audit.rules
            overwrite: true
    
    OVAL test results details

    audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

    audit augenrules   oval:ssg-test_directory_access_var_log_audit_augenrules_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_directory_access_var_log_audit_augenrules_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit augenrules   oval:ssg-test_directory_access_var_log_audit_augenrules_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_directory_access_var_log_audit_augenrules_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/etc/audit/rules\.d/.*\.rules$^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

    audit auditctl   oval:ssg-test_directory_access_var_log_audit_auditctl_32bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_directory_access_var_log_audit_auditctl_32bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1

    64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_x86_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppc_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_ppcle_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_aarch_64:obj:1 of type uname_object

    64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  not applicable

    No items have been found conforming to the following objects:
    Object oval:ssg-object_system_info_architecture_s390_64:obj:1 of type uname_object

    audit auditctl   oval:ssg-test_directory_access_var_log_audit_auditctl_64bit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_directory_access_var_log_audit_auditctl_64bit:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    /etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$1
    System Audit Logs Must Have Mode 0750 or Less Permissivexccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit mediumCCE-82692-5

    System Audit Logs Must Have Mode 0750 or Less Permissive

    Rule IDxccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-directory_permissions_var_log_audit:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82692-5

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
    cobit5APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01
    disaCCI-000162, CCI-000163, CCI-000164
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R6.5
    nistCM-6(a), AC-6(1), AU-9
    nist-csfDE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
    os-srgSRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
    Description
    If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command:
    $ sudo chmod 0750 /var/log/audit

    Otherwise, change the mode of the audit log files with the following command:
    $ sudo chmod 0700 /var/log/audit
    Rationale
    If users can write to audit logs, audit trails can be modified or destroyed.
    OVAL test results details

    log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

    log_group = root  oval:ssg-test_auditd_conf_log_group_not_root:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/audit/auditd.conflog_group = root

    log_group is set  oval:ssg-test_auditd_conf_log_group_is_set:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/audit/auditd.conflog_group = root

    /var/log/audit files mode 0750  oval:ssg-test_dir_permissions_audit_log-non_root:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_log_directory-non_root:obj:1 of type file_object
    BehaviorsPathFilenameFilter
    /var/log/audit/audit.log
    /var/log/audit
    no valueno valueoval:ssg-state_not_mode_0750:ste:1

    /var/log/audit mode 0700  oval:ssg-test_dir_permissions_audit_log:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_log_directory:obj:1 of type file_object
    BehaviorsPathFilenameFilter
    /var/log/audit/audit.log
    /var/log/audit
    no valueno valueoval:ssg-state_not_mode_0700:ste:1

    /var/log/audit mode 0700  oval:ssg-test_dir_permissions_var_log_audit:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_var_log_audit_directory:obj:1 of type file_object
    BehaviorsPathFilenameFilter
    no value/var/log/auditno valueoval:ssg-state_not_mode_0700:ste:1

    log_group = root  oval:ssg-test_auditd_conf_log_group_not_root:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/audit/auditd.conflog_group = root

    log_group is set  oval:ssg-test_auditd_conf_log_group_is_set:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/audit/auditd.conflog_group = root

    /var/log/audit files mode 0750  oval:ssg-test_dir_permissions_var_log_audit-non_root:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_var_log_audit_directory-non_root:obj:1 of type file_object
    BehaviorsPathFilenameFilter
    no value/var/log/auditno valueoval:ssg-state_not_mode_0750:ste:1
    System Audit Logs Must Be Owned By Rootxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit mediumCCE-82691-7

    System Audit Logs Must Be Owned By Root

    Rule IDxccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-file_ownership_var_log_audit:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82691-7

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
    cjis5.4.1.1
    cobit5APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01
    cui3.3.1
    disaCCI-000162, CCI-000163, CCI-000164, CCI-001314
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
    nistCM-6(a), AC-6(1), AU-9(4)
    nist-csfDE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
    pcidssReq-10.5.1
    os-srgSRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
    app-srg-ctrSRG-APP-000118-CTR-000240, CNTR-OS-000250, CNTR-OS-000260, CNTR-OS-000270, CNTR-OS-000280, CNTR-OS-000290, CNTR-OS-000300
    pcidss410.3.2, 10.3
    Description
    All audit logs must be owned by root user and group. By default, the path for audit log is
    /var/log/audit/
    . To properly set the owner of /var/log/audit, run the command:
    $ sudo chown root /var/log/audit 
    To properly set the owner of /var/log/audit/*, run the command:
    $ sudo chown root /var/log/audit/* 
    Rationale
    Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
    OVAL test results details

    /var/log/audit files uid root gid root  oval:ssg-test_ownership_var_log_audit_files:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_ownership_var_log_audit_files:obj:1 of type file_object
    BehaviorsPathFilenameFilter
    no value/var/log/audit^.*$oval:ssg-state_owner_not_root_root_var_log_audit:ste:1

    /var/log/audit directories uid root gid root  oval:ssg-test_ownership_var_log_audit_directories:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_ownership_var_log_audit_directories:obj:1 of type file_object
    BehaviorsPathFilenameFilter
    no value/var/log/auditno valueoval:ssg-state_owner_not_root_root_var_log_audit:ste:1

    log_group = root  oval:ssg-test_auditd_conf_log_group_not_root:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/audit/auditd.conflog_group = root

    log_group is set  oval:ssg-test_auditd_conf_log_group_is_set:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/audit/auditd.conflog_group = root

    /var/log/audit files uid root gid root  oval:ssg-test_ownership_var_log_audit_files-non_root:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
    not evaluated/var/log/audit/audit.log.2regular008388857r-------- 
    not evaluated/var/log/audit/audit.log.1regular008388964r-------- 
    not evaluated/var/log/audit/audit.logregular00511486rw------- 

    /var/log/audit directories uid root gid root  oval:ssg-test_ownership_var_log_audit_directories-non_root:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathTypeUIDGIDSize (B)Permissions
    not evaluated/var/log/audit/directory0061rwx------ 
    System Audit Logs Must Have Mode 0640 or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_var_log_audit mediumCCE-82690-9

    System Audit Logs Must Have Mode 0640 or Less Permissive

    Rule IDxccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-file_permissions_var_log_audit:def:1
    Time2025-10-23T19:36:54+00:00
    Severitymedium
    Identifiers:

    CCE-82690-9

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8
    cjis5.4.1.1
    cobit5APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01
    cui3.3.1
    disaCCI-000163, CCI-000164, CCI-001314, CCI-000162
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1
    iso27001-2013A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
    nerc-cipCIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2
    nistCM-6(a), AC-6(1), AU-9(4)
    nist-csfDE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4
    pcidssReq-10.5
    os-srgSRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084
    app-srg-ctrSRG-APP-000118-CTR-000240, CNTR-OS-000250, CNTR-OS-000260, CNTR-OS-000270, CNTR-OS-000280, CNTR-OS-000290, CNTR-OS-000300
    pcidss410.3.1, 10.3
    Description
    Determine where the audit logs are stored with the following command:
    $ sudo grep -iw log_file /etc/audit/auditd.conf
    log_file = /var/log/audit/audit.log
    Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command:
    $ sudo chmod 0600 audit_log_file
           
    By default, audit_log_file is "/var/log/audit/audit.log".
    Rationale
    If users can write to audit logs, audit trails can be modified or destroyed.
    OVAL test results details

    log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

    audit log files mode 0600  oval:ssg-test_file_permissions_audit_log:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_log_files:obj:1 of type file_object
    FilepathFilter
    /var/log/audit/audit.logoval:ssg-state_not_mode_0600:ste:1

    log_file not set  oval:ssg-test_auditd_conf_log_file_not_set:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/audit/auditd.conflog_file = /var/log/audit/audit.log

    default audit log files mode 0600  oval:ssg-test_file_permissions_default_audit_log:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_audit_default_log_files:obj:1 of type file_object
    FilepathFilter
    /var/log/audit/audit.logoval:ssg-state_not_mode_0600:ste:1
    Configure auditd Disk Error Action on Disk Errorxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action mediumCCE-82679-2

    Configure auditd Disk Error Action on Disk Error

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_disk_error_action
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_disk_error_action:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82679-2

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
    cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
    disaCCI-000140
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
    iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
    nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
    os-srgSRG-OS-000047-GPOS-00023
    app-srg-ctrSRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800, CNTR-OS-000190, CNTR-OS-000200, CNTR-OS-000210, CNTR-OS-000670
    Description
    The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
    disk_error_action = ACTION
           
    Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
    Rationale
    Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
            mode: 0640
            path: /etc/audit/auditd.conf
            overwrite: true
    
    OVAL test results details

    disk full action  oval:ssg-test_auditd_data_disk_error_action:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/audit/auditd.confdisk_error_action = SUSPEND
    Configure auditd Disk Full Action when Disk Space Is Fullxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action mediumCCE-82676-8

    Configure auditd Disk Full Action when Disk Space Is Full

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_disk_full_action:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82676-8

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
    cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
    disaCCI-000140
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
    iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
    nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
    os-srgSRG-OS-000047-GPOS-00023
    Description
    The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
    disk_full_action = ACTION
           
    Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
    Rationale
    Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
            mode: 0640
            path: /etc/audit/auditd.conf
            overwrite: true
    
    OVAL test results details

    disk error action  oval:ssg-test_auditd_data_disk_full_action:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/audit/auditd.confdisk_full_action = SUSPEND
    Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action mediumCCE-82677-6

    Configure auditd admin_space_left Action on Low Disk Space

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_admin_space_left_action:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82677-6

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
    cjis5.4.1.1
    cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
    cui3.3.1
    disaCCI-001855
    hipaa164.312(a)(2)(ii)
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
    iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
    nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
    pcidssReq-10.7
    os-srgSRG-OS-000343-GPOS-00134
    pcidss410.5.1, 10.5
    Description
    The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
    admin_space_left_action = ACTION
           
    Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
    Rationale
    Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
            mode: 0640
            path: /etc/audit/auditd.conf
            overwrite: true
    
    OVAL test results details

    space left action  oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/audit/auditd.confadmin_space_left_action = SUSPEND
    Configure auditd flush priorityxccdf_org.ssgproject.content_rule_auditd_data_retention_flush mediumCCE-82508-3

    Configure auditd flush priority

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_flush
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_flush:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82508-3

    References:
    cis-csc1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.3.1
    disaCCI-001576
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e)
    isa-62443-20094.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2
    nerc-cipCIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
    nistAU-11, CM-6(a)
    nist-csfDE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1
    osppFAU_GEN.1
    os-srgSRG-OS-000480-GPOS-00227
    Description
    The auditd service can be configured to synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk:
    flush = incremental_async
           
    Rationale
    Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk.
    OVAL test results details

    test the value of flush parameter in /etc/audit/auditd.conf  oval:ssg-test_auditd_data_retention_flush:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/audit/auditd.confflush = INCREMENTAL_ASYNC
    Configure auditd Max Log File Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file mediumCCE-82694-1

    Configure auditd Max Log File Size

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_max_log_file:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82694-1

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8
    cjis5.4.1.1
    cobit5APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7
    nerc-cipCIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
    nistAU-11, CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4
    pcidssReq-10.7
    Description
    Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of 6 for STOREMB:
    max_log_file = STOREMB
           
    Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
    Rationale
    The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
    OVAL test results details

    max log file size  oval:ssg-test_auditd_data_retention_max_log_file:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/audit/auditd.confmax_log_file = 8
    Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action mediumCCE-82680-0

    Configure auditd max_log_file_action Upon Reaching Maximum Log Size

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_max_log_file_action:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82680-0

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
    cjis5.4.1.1
    cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
    disaCCI-000140
    hipaa164.312(a)(2)(ii)
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
    iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
    nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
    pcidssReq-10.7
    os-srgSRG-OS-000047-GPOS-00023
    Description
    The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf:
    max_log_file_action = ACTION
           
    Possible values for ACTION are described in the auditd.conf man page. These include:
    • ignore
    • syslog
    • suspend
    • rotate
    • keep_logs
    Set the ACTION to rotate. The setting is case-insensitive.
    Rationale
    Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.
    OVAL test results details

    admin space left action   oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/audit/auditd.confmax_log_file_action = ROTATE
    Configure auditd Number of Logs Retainedxccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs mediumCCE-82693-3

    Configure auditd Number of Logs Retained

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_num_logs:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82693-3

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8
    cjis5.4.1.1
    cobit5APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
    cui3.3.1
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1
    iso27001-2013A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7
    nerc-cipCIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5
    nistAU-11, CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4
    pcidssReq-10.7
    Description
    Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of 5:
    num_logs = NUMLOGS
           
    Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.
    Rationale
    The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
    OVAL test results details

    admin space left action   oval:ssg-test_auditd_data_retention_num_logs:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/audit/auditd.confnum_logs = 5
    Configure auditd space_left on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left mediumCCE-82681-8

    Configure auditd space_left on Low Disk Space

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_space_left:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82681-8

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
    cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
    disaCCI-001855
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
    iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
    nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
    pcidssReq-10.7
    os-srgSRG-OS-000343-GPOS-00134
    pcidss410.5.1, 10.5
    Description
    The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately:
    space_left = SIZE_in_MB
           
    Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue.
    Rationale
    Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
            mode: 0640
            path: /etc/audit/auditd.conf
            overwrite: true
    
    OVAL test results details

    admin space left action   oval:ssg-test_auditd_data_retention_space_left:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/audit/auditd.confspace_left = 75
    Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-82678-4

    Configure auditd space_left Action on Low Disk Space

    Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_data_retention_space_left_action:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82678-4

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8
    cjis5.4.1.1
    cobit5APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01
    cui3.3.1
    disaCCI-001855
    hipaa164.312(a)(2)(ii)
    isa-62443-20094.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2
    iso27001-2013A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1
    nistAU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a)
    nist-csfDE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4
    pcidssReq-10.7
    os-srgSRG-OS-000343-GPOS-00134
    pcidss410.5.1, 10.5
    Description
    The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:
    space_left_action = ACTION
           
    Possible values for ACTION are described in the auditd.conf man page. These include:
    • syslog
    • email
    • exec
    • suspend
    • single
    • halt
    Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
    Rationale
    Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
    OVAL test results details

    space left action  oval:ssg-test_auditd_data_retention_space_left_action:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/audit/auditd.confspace_left_action = SYSLOG
    Set number of records to cause an explicit flush to audit logsxccdf_org.ssgproject.content_rule_auditd_freq mediumCCE-82512-5

    Set number of records to cause an explicit flush to audit logs

    Rule IDxccdf_org.ssgproject.content_rule_auditd_freq
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_freq:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82512-5

    References:
    disaCCI-000154
    nistCM-6
    osppFAU_GEN.1
    os-srgSRG-OS-000051-GPOS-00024
    Description
    To configure Audit daemon to issue an explicit flush to disk command after writing 50 records, set freq to 50 in /etc/audit/auditd.conf.
    Rationale
    If option freq isn't set to 50, the flush to disk may happen after higher number of records, increasing the danger of audit loss.
    OVAL test results details

    tests the value of freq setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_freq:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/audit/auditd.conffreq = 50
    Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events mediumCCE-82509-1

    Include Local Events in Audit Logs

    Rule IDxccdf_org.ssgproject.content_rule_auditd_local_events
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_local_events:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82509-1

    References:
    disaCCI-000366, CCI-000169
    nistCM-6
    os-srgSRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227
    Description
    To configure Audit daemon to include local events in Audit logs, set local_events to yes in /etc/audit/auditd.conf. This is the default setting.
    Rationale
    If option local_events isn't set to yes only events from network will be aggregated.
    OVAL test results details

    tests the value of local_events setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_local_events:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/audit/auditd.conflocal_events = yes
    Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format lowCCE-82511-7

    Resolve information before writing to audit logs

    Rule IDxccdf_org.ssgproject.content_rule_auditd_log_format
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_log_format:def:1
    Time2025-10-23T19:36:55+00:00
    Severitylow
    Identifiers:

    CCE-82511-7

    References:
    disaCCI-000366, CCI-001487
    nistCM-6, AU-3
    osppFAU_GEN.1.2
    os-srgSRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227
    app-srg-ctrSRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000100-CTR-000200, SRG-APP-000109-CTR-000215, SRG-APP-000290-CTR-000670, SRG-APP-000357-CTR-000800, CNTR-OS-000190, CNTR-OS-000200, CNTR-OS-000210, CNTR-OS-000670
    Description
    To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set log_format to ENRICHED in /etc/audit/auditd.conf.
    Rationale
    If option log_format isn't set to ENRICHED, the audit records will be stored in a format exactly as the kernel sends them.
    OVAL test results details

    tests the value of log_format setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_log_format:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/audit/auditd.conflog_format = ENRICHED
    Set type of computer node name logging in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format mediumCCE-82513-3

    Set type of computer node name logging in audit logs

    Rule IDxccdf_org.ssgproject.content_rule_auditd_name_format
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_name_format:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82513-3

    References:
    disaCCI-000132, CCI-001851
    nistCM-6, AU-3
    osppFAU_GEN.1.2
    os-srgSRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
    pcidss410.2.2, 10.2
    Description
    To configure Audit daemon to use a unique identifier as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf.
    Rationale
    If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish.
    Warnings
    warning  Whenever the variable
    var_auditd_name_format
    uses a multiple value option, for example
    A|B|C
    , the first value will be used when remediating this rule.

    Complexity:low
    Disruption:low
    Reboot:true
    Strategy:restrict
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
        storage:
          files:
          - contents:
              source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
            mode: 0640
            path: /etc/audit/auditd.conf
            overwrite: true
    
    OVAL test results details

    tests the value of name_format setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_name_format:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/etc/audit/auditd.confname_format = NONE
    Write Audit Logs to the Diskxccdf_org.ssgproject.content_rule_auditd_write_logs mediumCCE-82510-9

    Write Audit Logs to the Disk

    Rule IDxccdf_org.ssgproject.content_rule_auditd_write_logs
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-auditd_write_logs:def:1
    Time2025-10-23T19:36:55+00:00
    Severitymedium
    Identifiers:

    CCE-82510-9

    References:
    disaCCI-000366
    nistCM-6
    os-srgSRG-OS-000480-GPOS-00227
    Description
    To configure Audit daemon to write Audit logs to the disk, set write_logs to yes in /etc/audit/auditd.conf. This is the default setting.
    Rationale
    If write_logs isn't set to yes, the Audit logs will not be written to the disk.
    OVAL test results details

    tests the value of write_logs setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_write_logs:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    true/etc/audit/auditd.confwrite_logs = yes

    tests the absence of write_logs setting in the /etc/audit/auditd.conf file  oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    not evaluated/etc/audit/auditd.confwrite_logs =
    Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed mediumCCE-82669-3

    Ensure the audit Subsystem is Installed

    Rule IDxccdf_org.ssgproject.content_rule_package_audit_installed
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-package_audit_installed:def:1
    Time2025-10-23T19:36:48+00:00
    Severitymedium
    Identifiers:

    CCE-82669-3

    References:
    disaCCI-000133, CCI-001881, CCI-001875, CCI-000154, CCI-001882, CCI-000158, CCI-001914, CCI-000169, CCI-001464, CCI-001878, CCI-001877, CCI-001889, CCI-000135, CCI-002884, CCI-001487, CCI-003938, CCI-000132, CCI-000134, CCI-000172, CCI-000130, CCI-000131, CCI-001879, CCI-001880, CCI-001876, CCI-000159
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
    nerc-cipCIP-004-6 R3.3, CIP-007-3 R6.5
    nistAC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a)
    osppFAU_GEN.1
    pcidssReq-10.1
    os-srgSRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220
    anssiR33, R73
    pcidss410.2.1, 10.2
    Description
    The audit package should be installed.
    Rationale
    The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
    OVAL test results details

    package audit is installed  oval:ssg-test_package_audit_installed:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedauditx86_64(none)4.el93.1.50:3.1.5-4.el9199e2f91fd431d51audit-0:3.1.5-4.el9.x86_64
    Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled mediumCCE-82463-1

    Enable auditd Service

    Rule IDxccdf_org.ssgproject.content_rule_service_auditd_enabled
    Result
    pass
    Multi-check ruleno
    OVAL Definition IDoval:ssg-service_auditd_enabled:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82463-1

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.3.1, 3.3.2, 3.3.6
    disaCCI-000133, CCI-001881, CCI-001875, CCI-000154, CCI-001882, CCI-000158, CCI-001914, CCI-000169, CCI-001464, CCI-001878, CCI-001877, CCI-001889, CCI-000135, CCI-002884, CCI-001487, CCI-003938, CCI-000132, CCI-004188, CCI-000134, CCI-000172, CCI-000130, CCI-000131, CCI-001879, CCI-001880, CCI-001876
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nerc-cipCIP-004-6 R3.3, CIP-007-3 R6.5
    nistAC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23)
    nist-csfDE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    osppFAU_GEN.1
    pcidssReq-10.1
    os-srgSRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220
    app-srg-ctrSRG-APP-000095-CTR-000170, SRG-APP-000409-CTR-000990, SRG-APP-000508-CTR-001300, SRG-APP-000510-CTR-001310, CNTR-OS-000150, CNTR-OS-000180
    anssiR33, R73
    pcidss410.2.1, 10.2
    Description
    The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following manifest:
    ---
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 75-master-auditd-enable
    spec:
      config:
        ignition:
          version: 3.1.0
        systemd:
          units:
          - name: auditd.service
            enabled: true
    

    This will enable the auditd service in all the nodes labeled with the "master" role.

    Note that this needs to be done for each MachineConfigPool

    For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

    Rationale
    Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

    Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
    OVAL test results details

    package audit is installed  oval:ssg-test_service_auditd_package_audit_installed:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonNameArchEpochReleaseVersionEvrSignature keyidExtended name
    not evaluatedauditx86_64(none)4.el93.1.50:3.1.5-4.el9199e2f91fd431d51audit-0:3.1.5-4.el9.x86_64

    Test that the auditd service is running  oval:ssg-test_service_running_auditd:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonUnitPropertyValue
    trueauditd.serviceActiveStateactive

    systemd test  oval:ssg-test_multi_user_wants_auditd:tst:1  true

    Following items have been found on the system:
    Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
    truemulti-user.targetbasic.targetvar.mountsysinit.targetintegritysetup.targetsystemd-sysctl.serviceldconfig.servicesystemd-pstore.servicesystemd-binfmt.servicesystemd-update-utmp.servicesystemd-journal-catalog-update.servicesystemd-journald.servicedev-hugepages.mountsystemd-pcrphase.serviceselinux-autorelabel-mark.servicelocal-fs.targetostree-remount.servicetmp.mountboot.mountsystemd-remount-fs.servicesystemd-pcrmachine.servicecryptsetup.targetclevis-luks-askpass.pathsystemd-tmpfiles-setup-dev.servicesystemd-ask-password-console.pathlvm2-lvmpolld.socketdev-mqueue.mountsystemd-tmpfiles-setup.servicesys-kernel-tracing.mountsystemd-udev-trigger.servicesystemd-hwdb-update.servicesystemd-journal-flush.servicedracut-shutdown.servicesys-kernel-debug.mountveritysetup.targetsystemd-repart.servicesys-fs-fuse-connections.mountsystemd-machine-id-commit.serviceignition-delete-config.servicesystemd-update-done.servicesys-kernel-config.mountswap.targetkmod-static-nodes.servicesystemd-network-generator.servicesystemd-pcrphase-sysinit.serviceiscsi-onboot.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-udevd.servicesystemd-boot-update.servicemultipathd.servicesystemd-sysusers.servicecoreos-printk-quiet.servicesystemd-random-seed.servicesystemd-boot-random-seed.serviceproc-sys-fs-binfmt_misc.automountslices.target-.slicesystem.slicecoreos-ignition-firstboot-complete.servicemicrocode.servicetimers.targetunbound-anchor.timersystemd-tmpfiles-clean.timerlogrotate.timerpaths.targetsockets.targetiscsid.socketsystemd-initctl.socketiscsiuio.socketsystemd-coredump.socketdbus.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketsystemd-udevd-control.socketsystemd-journald.socketsystemd-udevd-kernel.socketcoreos-update-ca-trust.serviceafterburn-sshkeys.targetgetty.targetserial-getty@ttyS0.servicegetty@tty1.servicechronyd.servicecoreos-liveiso-success.servicesystemd-update-utmp-runlevel.serviceconsole-login-helper-messages-gensnippet-ssh-keys.serviceNetworkManager.serviceremote-fs.targetafterburn-firstboot-checkin.servicekubelet-cleanup.serviceostree-readonly-sysroot-migration.serviceirqbalance.servicesystemd-logind.servicemdmonitor.servicecrio-subid.servicesystemd-ask-password-wall.pathafterburn-checkin.servicesssd.servicerpm-ostree-fix-shadow-mode.serviceauditd.serviceostree-boot-complete.servicevmtoolsd.servicekubelet.servicerhsmcertd.servicebootc-status-updated.pathgcp-routes.serviceopenvswitch.servicebootc-status-updated-onboot.targetcoreos-ignition-delete-config.serviceremote-cryptsetup.targetcoreos-platform-chrony-config.servicesshd.servicesystemd-user-sessions.servicecoreos-ignition-write-issues.service

    systemd test  oval:ssg-test_multi_user_wants_auditd_socket:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonUnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
    falsemulti-user.targetbasic.targetvar.mountsysinit.targetintegritysetup.targetsystemd-sysctl.serviceldconfig.servicesystemd-pstore.servicesystemd-binfmt.servicesystemd-update-utmp.servicesystemd-journal-catalog-update.servicesystemd-journald.servicedev-hugepages.mountsystemd-pcrphase.serviceselinux-autorelabel-mark.servicelocal-fs.targetostree-remount.servicetmp.mountboot.mountsystemd-remount-fs.servicesystemd-pcrmachine.servicecryptsetup.targetclevis-luks-askpass.pathsystemd-tmpfiles-setup-dev.servicesystemd-ask-password-console.pathlvm2-lvmpolld.socketdev-mqueue.mountsystemd-tmpfiles-setup.servicesys-kernel-tracing.mountsystemd-udev-trigger.servicesystemd-hwdb-update.servicesystemd-journal-flush.servicedracut-shutdown.servicesys-kernel-debug.mountveritysetup.targetsystemd-repart.servicesys-fs-fuse-connections.mountsystemd-machine-id-commit.serviceignition-delete-config.servicesystemd-update-done.servicesys-kernel-config.mountswap.targetkmod-static-nodes.servicesystemd-network-generator.servicesystemd-pcrphase-sysinit.serviceiscsi-onboot.servicelvm2-monitor.servicesystemd-modules-load.servicesystemd-udevd.servicesystemd-boot-update.servicemultipathd.servicesystemd-sysusers.servicecoreos-printk-quiet.servicesystemd-random-seed.servicesystemd-boot-random-seed.serviceproc-sys-fs-binfmt_misc.automountslices.target-.slicesystem.slicecoreos-ignition-firstboot-complete.servicemicrocode.servicetimers.targetunbound-anchor.timersystemd-tmpfiles-clean.timerlogrotate.timerpaths.targetsockets.targetiscsid.socketsystemd-initctl.socketiscsiuio.socketsystemd-coredump.socketdbus.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketsystemd-udevd-control.socketsystemd-journald.socketsystemd-udevd-kernel.socketcoreos-update-ca-trust.serviceafterburn-sshkeys.targetgetty.targetserial-getty@ttyS0.servicegetty@tty1.servicechronyd.servicecoreos-liveiso-success.servicesystemd-update-utmp-runlevel.serviceconsole-login-helper-messages-gensnippet-ssh-keys.serviceNetworkManager.serviceremote-fs.targetafterburn-firstboot-checkin.servicekubelet-cleanup.serviceostree-readonly-sysroot-migration.serviceirqbalance.servicesystemd-logind.servicemdmonitor.servicecrio-subid.servicesystemd-ask-password-wall.pathafterburn-checkin.servicesssd.servicerpm-ostree-fix-shadow-mode.serviceauditd.serviceostree-boot-complete.servicevmtoolsd.servicekubelet.servicerhsmcertd.servicebootc-status-updated.pathgcp-routes.serviceopenvswitch.servicebootc-status-updated-onboot.targetcoreos-ignition-delete-config.serviceremote-cryptsetup.targetcoreos-platform-chrony-config.servicesshd.servicesystemd-user-sessions.servicecoreos-ignition-write-issues.service
    Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument mediumCCE-82671-9

    Extend Audit Backlog Limit for the Audit Daemon

    Rule IDxccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-coreos_audit_backlog_limit_kernel_argument:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82671-9

    References:
    nistCM-6(a)
    os-srgSRG-OS-000254-GPOS-00095
    app-srg-ctrSRG-APP-000092-CTR-000165, CNTR-OS-000170, CNTR-OS-000220
    Description
    To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.
    Rationale
    audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:restrict
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
      kernelArguments:
        - audit_backlog_limit=8192
    
    OVAL test results details

    Check if /boot/loader/entries/ostree-2.*.conf does not exist  oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type file_object
    Filepath
    ^/boot/loader/entries/ostree-2.*.conf

    Check if argument audit_backlog_limit=8192 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf  oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_1_conf:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/boot/loader/entries/ostree-1.confoptions rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0

    Check if argument audit_backlog_limit=8192 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf  oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_2_conf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/boot/loader/entries/ostree-2.*.conf^options (.*)$1

    Check if argument audit_backlog_limit=8192 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline  oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_proc_cmdline:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/proc/cmdlineBOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0
    Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_coreos_audit_option mediumCCE-82670-1

    Enable Auditing for Processes Which Start Prior to the Audit Daemon

    Rule IDxccdf_org.ssgproject.content_rule_coreos_audit_option
    Result
    fail
    Multi-check ruleno
    OVAL Definition IDoval:ssg-coreos_audit_option:def:1
    Time2025-10-23T19:36:53+00:00
    Severitymedium
    Identifiers:

    CCE-82670-1

    References:
    cis-csc1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8
    cjis5.4.1.1
    cobit5APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01
    cui3.3.1
    disaCCI-001464, CCI-000130
    hipaa164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b)
    isa-62443-20094.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4
    isa-62443-2013SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6
    iso27001-2013A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2
    nerc-cipCIP-004-6 R3.3, CIP-007-3 R7.1
    nistAC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1)
    nist-csfDE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4
    pcidssReq-10.3
    app-srg-ctrSRG-APP-000092-CTR-000165, CNTR-OS-000170, CNTR-OS-000220
    Description
    To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to all BLS (Boot Loader Specification) entries ('options' line) for the Linux operating system in /boot/loader/entries/*.conf.
    Rationale
    Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.

    Complexity:low
    Disruption:medium
    Reboot:true
    Strategy:restrict
    
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    spec:
      config:
        ignition:
          version: 3.1.0
      kernelArguments:
        - audit=1
    
    OVAL test results details

    Check if /boot/loader/entries/ostree-2.*.conf does not exist  oval:ssg-test_coreos_audit_option_file_boot_loader_entries_ostree_2_conf_absent:tst:1  true

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_audit_option_file_boot_loader_entries_ostree_2_conf_absent:obj:1 of type file_object
    Filepath
    ^/boot/loader/entries/ostree-2.*.conf

    Check if argument audit=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1.*.conf  oval:ssg-test_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_1_conf:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/boot/loader/entries/ostree-1.confoptions rw $ignition_firstboot ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1="all" psi=0

    Check if argument audit=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2.*.conf  oval:ssg-test_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_2_conf:tst:1  false

    No items have been found conforming to the following objects:
    Object oval:ssg-object_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_2_conf:obj:1 of type textfilecontent54_object
    FilepathPatternInstance
    ^/boot/loader/entries/ostree-2.*.conf^options (.*)$1

    Check if argument audit=1 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline  oval:ssg-test_coreos_audit_option_audit_1_argument_in_proc_cmdline:tst:1  false

    Following items have been found on the system:
    Result of item-state comparisonPathContent
    false/proc/cmdlineBOOT_IMAGE=(hd0,gpt3)/boot/ostree/rhcos-96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/vmlinuz-5.14.0-570.51.1.el9_6.x86_64 rw ostree=/ostree/boot.1/rhcos/96cd58a8387140c6e78935abac80c42c599d249129cb11524ec1ba9b2f1c13cc/0 ignition.platform.id=aws console=tty0 console=ttyS0,115200n8 root=UUID=d8142f91-3ca3-4d07-8da9-9feec972eff6 rw rootflags=prjquota boot=UUID=4efce5b0-24df-4070-a06b-f5068bebe26a systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=0
    Scroll back to the first rule
    Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.